Professional Documents
Culture Documents
Student Notebook - Security Intelligence Fundamentals PDF
Student Notebook - Security Intelligence Fundamentals PDF
Student Notebook
Security Intelligence Fundamentals
Course code BQ600 ERC 1.0
IBM Training
Month Year of publication edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.
ITIL is a Registered Trade Mark of AXELOS Limited.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Uempty
Compliance management versus IT security compliance management . . . . . . . . . . . . . . . . . . . . . . . . 1-47
Compliance versus Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48
The IT security landscape in 2015 - Threat and fraud landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49
Threat and fraud landscape and evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
Attackers break through conventional safeguards every day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-52
Where trade magazines tout advanced threats, the vast majority are not . . . . . . . . . . . . . . . . . . . . . . 1-54
The importance of early detection and rapid response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-55
The importance of early detection and rapid response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56
Why IT security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57
Security leaders are more accountable than ever before . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-58
Lesson 3 Business and IT drivers that influence security in an organization . . . . . . . . . . . . . . . . . . . . . 1-59
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60
Business drivers that influence security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61
Business drivers that influence security (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-62
Business drivers that influence security (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-63
Business drivers that influence security (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64
IT drivers that influence security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-65
IT drivers that influence security (2 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66
IT drivers that influence security (3 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-67
IT drivers that influence security (4 of 4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-68
Let us summarize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-69
Lesson 4 Security Intelligence is at the center of a comprehensive security portfolio . . . . . . . . . . . . . . . 1-70
Security Intelligence at the center of a comprehensive security portfolio . . . . . . . . . . . . . . . . . . . . . . . 1-71
IT Security Governance for PCI-DSS regulation and the role of Security Intelligence . . . . . . . . . . . . . 1-73
IT Security Governance for PCI-DSS regulation and the role of IBM Security Solutions . . . . . . . . . . . 1-74
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-75
Uempty
IBM Security QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
IBM Security QRadar Vulnerability Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26
IBM Security QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27
IBM Security QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
IBM Security QRadar Incident Forensics (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
From NetFlow to QFlow to QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30
QRadar Embedded intelligence offers automated offense identification . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Embedded intelligence of QRadar directs focus for investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33
Benefits of IBM Security Intelligence approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
Lesson 3 IT security governance and compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35
Security leaders are more accountable than ever before . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36
Example: IT Security Governance for PCI-DSS regulation
and the role of IBM Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Reporting in QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
Reports tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Lesson 4 Security Intelligence and enterprise security architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
What is an architecture? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-41
What is an architecture? (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42
Following an enterprise security architecture
with Security Intelligence design in mind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-44
O-ESA Security Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45
O-ESA Security Technical Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-46
O-ESA Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-47
Working together with the CISO’s office when designing
the Security Intelligence solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48
Working together with the CISO’s office when designing the
Security Intelligence solution (continued) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-49
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-50
Uempty
IT security policy for logging (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Create a baseline security policy for logging using Common Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Determine the network information flow and forensics policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Dashboards, views, and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Technical vulnerability management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Vulnerability management information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27
Asset configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
Lesson 3 Document detailed use cases and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Document detailed use cases and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Documentation of detailed use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Documentation of functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
Documentation of functional requirements (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33
Documentation of non-functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34
Documentation of non-functional requirements (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35
Document detailed use case and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36
Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37
Retention time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40
Logging example: Using Common Criteria guidelines for AIX 5L logging . . . . . . . . . . . . . . . . . . . . . . . 3-41
Logging example: Mapping the controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Logging example: Gather platform audit subsystem configuration details . . . . . . . . . . . . . . . . . . . . . . 3-44
Logging example: Platform specific audit guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Network information flow collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Vulnerability Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
Other integrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49
Security Intelligence Design (Macro & Micro) – Activity Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52
Uempty
Flow Collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
Application detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19
Superflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Flows per minute (FPM) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22
Event Collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Autodiscovery of Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
Log Source parsing uses QID mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Events per second (EPS) burst handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Event Processor architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Custom Rules Engine (CRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
Accumulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30
Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
Console architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Offense management by the Magistrate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Offense management by the Magistrate (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Offense types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Anomaly Detection Engine rule types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-36
New asset and service detection by Vulnerability Information Server . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Lesson 3 External threat intelligence feeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
IBM Security X-Force Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
The value of the IBM X-Force research and development team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-40
X-Force Threat Intelligence - vulnerability coverage use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-41
Lesson 4 Real-world large-scale attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-42
How quickly can you … . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
About Target Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-44
The situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-45
Phases of the intrusion kill chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Kill chain timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-47
First trigger – already compromised . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
More alerts – no linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-49
DOJ notification – 40 million records gone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50
Continued breaches undetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-51
Missed opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
Potential improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-54
Security Intelligence is a fairly new discipline for organizations of all sizes that has evolved from
traditional log management and security information and event management solutions. Embracing
this new approach will help reduce risk and improve threat protection, prevention, and remediation.
This 2-day course focuses on the current IT and security landscape as well as the business and IT
drivers behind a holistic IT security approach, which is a prerequisite to successfully thwart
malicious attacks and the misuse of valuable enterprise assets.
Students learn what is important to a board of executives in organizations today. They will realize
the impacts of weak IT security, and how to mitigate exposures by utilizing a properly designed and
integrated Security Intelligence solution.
Uempty
The following topics are among those included in this course:
• Current IT and security landscape
• Business and IT drivers for executives that will influence an organization’s IT Security
Architecture
• Principles of designing and deploying a centralized and well integrated Security Intelligence
solution
• Security Intelligence component architecture based on IBM Security QRadar
• A real-world large-scale breach investigation
Details
Delivery method Classroom
Course level ERC 1.0
This course is a new course
Duration 2 days
Skill level Basic
Uempty
Course objectives
After completing this course, you should be able to perform the following tasks:
• Identify enterprise business and IT drivers that influence the overall IT Security Architecture
• Define the role of a centralized Security Intelligence solution and how it integrates with other IT
enterprise security components
• Explain how a Security Intelligence solution can be used to investigate and stop advanced threats and
address IT governance and regulatory compliance
Course objectives
Uempty
Audience
This course is designed for academic faculty and their students to gain an overview of today’s IT
security challenges and how to utilize a properly designed Security Intelligence solution at its center
to protect the valuable assets of an organization.
Prerequisites
Before taking this course, make sure that you have a thorough understanding of the basic security
fundamentals as introduced in the Security Foundation Course material that is available through
the Cyber Security Specialist portal:
http://www.ibm.biz/meauniversity
Uempty
Agenda
• Day 1
Unit 1: The status quo of IT security
Unit 2: Security Intelligence and Operations
• Day 2
Unit 3: Designing a Security Intelligence solution
Unit 4: Security Intelligence functional components
Agenda
Uempty
Course description
The course contains the following units:
1. The status quo of IT security
In this unit we describe the current technology trends and the IT security landscape generally
found in 2015 so that the student can gain a broad understanding where potential attackers
want to launch their intrusion attempts.
We explain business and IT drivers that influence security-related business decisions from a
C-level perspective because security is no longer an after thought, but one of the major
influencing factors when it comes to IT decisions in every organization.
We close this unit by introducing a comprehensive security solution portfolio to address the
holistic IT security requirements in an organization, including every aspect that needs to be
taken into consideration. We use one particular business driver example (PCI-DSS compliance)
to clarify the importance of integration when it comes to IT security.
Uempty
Unit objectives
• Describe/define technology trends and IT security landscape in 2015
• List business and IT drivers that influence security-related business decisions
• Define a comprehensive security solution portfolio to address the holistic IT security requirements in
an organization
Unit objectives
In this unit we describe the current technology trends and the IT security landscape generally found
in 2015 so that the student can gain a broad understanding where potential attackers want to
launch their intrusion attempts.
We explain business and IT drivers that influence security-related business decisions from a
C-level perspective because security is no longer an after thought, but one of the major influencing
factors when it comes to IT decisions in every organization.
We close this unit by introducing a comprehensive security solution portfolio to address the holistic
IT security requirements in an organization, including every aspect that needs to be taken into
consideration. We use one particular business driver example (PCI-DSS compliance) to clarify the
importance of integration when it comes to IT security.
Uempty
Lesson 1 Technology trends in 2015
Uempty
Technology trend:
Innovation introduces new vulnerabilities and avenues of attack
Adopting new business models and embracing Exponentially growing and interconnected
new technologies and data digital universe
1 billion mobile
1 trillion connected Internet users
Mobility
Social business objects (IoT: cars, 30 percent growth
appliances, cameras) of 3G/4G devices
Every board of directors wants their organization to reap the benefits of new technology to improve
business results.
Participating in social media and connecting with customers, employees, and business partners
can improve communication effectiveness and open new channels of innovative interactions.
Collecting large amounts of data can help with business analytics, and storing and processing this
data in cloud based or virtualized IT environments can drastically reduce costs and improve
responsiveness to fluctuating demands.
Allowing every employee, customer, and business partner to interact with the organization’s IT
solutions from everywhere and with every device, including devices not owned by the organization,
will increase productivity and satisfaction for all involved parties.
But let’s put ourselves into the shoes of a CISO. The world is getting more complicated with all the
variety of devices that are available. Technology gets more and more sophisticated and innovation
constantly creates amazing new things … but all of this also introduces new vulnerabilities and
potential avenues of attacks for malicious players.
Let us take a close look at Mobility and BYOD, Social Business, Big Data, as well as Cloud and
virtualization.
Uempty
BYOD
Mobile Mobile Mobile
Freedom of device
provides a better changes the way creates risk of
choice with
experience people work company data
increase of risk
Let’s talk about the state of mobile and Bring-Your-Own-Device (BYOD) in today’s organizations.
Mobility is now a strategic part of just about every business strategy. It’s viewed as a way to
transform workflows and business processes in a very dramatic way:
• Mobile is about providing better experiences and new ways to serve customers
• Mobile is about changing how people work and where they work and how they collaborate
• At the same time, mobile introduces new risks to protecting sensitive company data
• While BYOD allows users the freedom of choice for their device, it also adds significant risks
Uempty
Mobile brings on new complexities and challenges to manage. It truly connects everyone to
everything and provides certain expectations.
• Mobile is very personal and gets mixed with individual work lives (especially when combined
with BYOD).
• Mobile by its very nature is outside of your physical network perimeter and your control.
• Mobile moves fast and the pace of change is very rapid.
Uempty
What are the major security identifiers behind mobility and BYOD?
Uempty
Today, big data comes from many sources. Data sources have become much more diverse and
exceed our traditional transactional and application data sources. Machine Data can come from a
variety of sensors, networks, or other observational sources, constantly being added to the data
pool. Our Social Data stream, highly unstructured and from a broad variety of platforms and
applications, adds a constant data flow, and non-traditional enterprise content adds more data to
the unstructured high volume. On top of all that we have entered the era of Cognitive Computing
where dynamic learning of unstructured data adds more content at a pace that we have not yet
seen.
In order to capitalize on new business opportunities in relation to Big Data you need to look beyond
the traditional data sources and embrace all available data and apply proper data and business
analytics to it.
Uempty
What are the major security identifiers behind Big Data?
Uempty
Technology trend: Every industry can leverage Big Data and analytics
Energy and Media and
Banking Insurance Telco utilities entertainment
• Actionable customer • Customer analytics and • Shelf availability • Civilian services • Measure and act on
insight loyalty marketing • Promotional spend • Defense and intelligence population health
• Merchandise • Predictive maintenance optimization outcomes
• Tax and treasury services
optimization analytics • Merchandising • Engage consumers in
• Dynamic pricing compliance their healthcare
• Advanced condition • Operational surveillance, • Uniform information • Customer and channel • Increase visibility into
monitoring analysis and optimization access platform analytics drug safety and
• Data warehouse • Data warehouse • Data warehouse • Advanced condition effectiveness
optimization consolidation, integration optimization monitoring
and augmentation
Technology trend - Every industry can leverage Big Data and analytics
This slide with sample use cases of big data can provide research topics for your students.
Let each student pick an industry sample and explain the major security identifiers for this use case.
For example:
• What data needs to be encrypted at rest and in transit?
• For which data sources do you need encryption key lifecycle management? On what devices is
that data stored?
• Which access control logs and analytics do you need to collect? For which data sources?
Which user groups do you need to monitor?
• What can be a proper data classification scheme?
• How is the data being used? (in applications, in communication (email, social media channels),
on mobile devices)
• What about data privacy?
• Which data needs to be backed up, and what is the strategy behind it? (local, remote, high
availability, disaster recovery)
Uempty
100+
10
0100+
0+ IBMM
IBM
Offerings
Offerings
IaaS S
SaaSS
Online Business App
website Infrastructure PaaS development
services Development applications
services
Public cloud
Private cloud
Welcome to the new world of IT, where organizations are rapidly accumulating a diverse portfolio of
cloud services. As cloud adoption is rising, companies have more and more interconnected
resources, more applications, data, and services residing on different types of platforms. For
example, some infrastructures are running in public clouds, some applications and data is located
on private clouds.
There are multiple reasons for this massive adoption. Transforming costs, scalability, helping the
responsiveness of IT, speeding delivery of new products and services. Those are the great benefits
of cloud delivery models.
This is very exciting overall, but for security professionals this can be somewhat overwhelming. The
picture here is somewhat simplified, because cloud adoption is usually not as simple as just signing
up for a new service like Dropbox, or SalesForce.com. We actually see most large organizations
move to hybrid cloud environments. They are using traditional IT components and connect those to
private and public clouds. They use a wide range of public cloud services usually from multiple
vendors.
One of our large e-commerce clients runs their operational ERP (Enterprise Resource Planning)
system on their own in-house IT environment; they store sensitive data here. They have also set up
a mobile app hosted in a public cloud for clients to access their e-commerce site. Their marketing
team leverages analytics on yet another service that is outside their own environment running on a
public cloud as well so they can understand buyer behavior. At the same time, their in-house
development leverages a self-service private cloud for IT operations helping to develop and deploy
new applications in-house.
Uempty
Technology trend:
y transform security
Cloud presents the opportunity to radically yppractices
Cl
Cloud
C security
ity is not only achievable,
bl it is
i an opportunity
to drive the business, improve defenses and reduce risk
Technology trend - Cloud presents the opportunity to radically transform security practices
Today’s cloud services deployments are really not that much different than any other outsourcing
project that organizations have undertaken in the past 20 years. You need to evaluate every player
that participates in the project and ensure who brings what to the table when it comes to security.
Uempty
What are the major security identifiers behind Cloud Computing?
• Workloads on cloud environments can be protected in the same way as they are on traditional
environments
• Security solutions and services can be deployed in cloud environments
• Monitor sensitive data access in cloud repositories
• Create centralized auditing for data sources deployed on cloud virtual images
• Virtual machine layer (hypervisor) security has to be added to the secured asset list
Uempty
More than 388 million people view more than 12.7 billion blog
pages each month
There are 500 million tweets daily – that’s 5,700 per second
Our online social lives are prolific. The explosion of social media has created enormous volumes of
data. Every day, we create 2.5 quintillion bytes of data. From social media site conversations, to
blogs, images and photos, video clips…. to user comments or user reviews from something like
Amazon or TripAdvisor…. and comments in forums or chat rooms – or even from your own website
– there are an extremely large number of social media content sources.
This is all unstructured data – information that doesn’t have a pre-defined data model or isn’t
organized in a pre-defined way. It is typically text-heavy but may have dates, numbers and facts
buried in the details. This data is difficult to work with and understand. It’s a “Big Data” challenge.
More and more organizations use social media to communicate with their workforce, their clients,
as well as their contractors and suppliers. Individuals access social media channels from all their
devices (company owned or BYOD technology) at any time of the day.
Uempty
50% of users check it daily
# of users worldwide – 1.1B
• https://blog.twitter.com/2013/new-tweets-per-second-record-and-how
# of Tweets – 5700 per second, 500M a day and 143,199 is the record on Aug 2, 2013
Uempty
Simplifying
complexity requires Customers Suppliers
collaboration
Employees Investors
Ź Amplify the corporate message and gain mindshare and awareness by interacting with individuals
over digital channels
Ź Provide a seamless experience for your customers including information about products and
services, contact to sales partners, and easy follow-up on ordering or service contracts
Ź Enrich employee experience by allowing use of BYOD and staying connected professionally and
personally 24x7
Ź Collect valuable feedback and input on a social base from customers and business partners for
greater business insights and improved decision making
The business ecosystem of today thrives on relationships – customers, suppliers, investors and
employees. Business processes can play a key role in managing these relationships, allowing
businesses to integrate better – not as an end in itself but as a part of a strategy that can lead to
sustained competitive advantage.
• Educate your users (employees, business partners, customers) about potential dangers on
social media (watering holes, social profiling)
• Track social media related traffic inside your premises and devices and scan for malicious
activities or malware
Uempty
Technology trend:
Risk and threat management is not isolated to security incidents and attacks
40% 71%
of Fortune 500 and of the average IT
Mobile in the popular web sites budget is dedicated to
enterprise contain a vulnerability2 ongoing operations4
of organizations will
support corporate 74%
of enterprises use
apps on personal
devices by 20146 social media today
to communicate
with clients7
Innovation in
the cloud Exploding data
growth
60% Aging Infrastructure 2.7 ZB
of chief information
officers view cloud
computing as critical 71%
of data centers are
of digital content in
2012, a 50% increase
to their plans5 from 20113
over 7 years old1
Technology trend - Risk and threat management is not isolated to security incidents and attacks
Keeping this kind of slide with updated information will help students better understand that IT
Security is not only a purely technical discussion in an organization, but rather constrained by
budgets, business priorities, lack of skilled talent, and other facts that no C-level officer can ignore
in a real-world decision making process.
For your information: 1,000 terabytes = 1 petabyte; 1 million terabytes = 1 Exabyte; 1 billion
terabytes = 1 zettabyte ;-)
Sources:
• 1
The Essential CIO: Insights from the Global Chief Information Officer Study, May 2011
• 2
IBM X-Force Mid-year 2011 Trend and Risk Report, September 2011
• 3
IDC, “IDC Predictions 2012: Competing for 2020” by Frank Gens December 2011, IDC
#231720, Volume:1
• 4
Based on IBM Research
• 5
McKinsey How IT is managing new demands 2011
• 6
Gartner predicts that by 2014, “90% of organizations will support corporate applications on a
personal devices.”
• 7
Forrsights Business Decision-Makers Survey, Q4 2011
Uempty
Attack types
XSS Heartbleed Physical Brute Misconfig. Watering Phishing SQLi DDoS Malware Undisclosed
access force hole
For more research, visit the IBM X-Force Interactive Security Incidents site
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches more often.
Note: The size of the circle indicates the estimated relative impact
In the past three years, the amount of data records and variety of attacks have expanded to epic
levels.
• 2012: Near Daily Leaks of Sensitive Data
40% increase in reported data breaches and incidents
• 2013: Relentless Use of Multiple Methods
Uempty
800,000,000+ records leaked, while the future shows no sign of change
• 2014: “Insane” Amounts of Records Breached
42% of CISOs claim the risk from external threats increased dramatically from prior years.
Students can visit the interactive Security Incident chart and investigate individual incidents.
Research the attacked organization and the individual attack vector and discuss how that particular
incident could have been avoided or mitigated.
http://www.ibm.com/security/xforce/xfisi/
https://www.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S
_PKG=ov33510&S_TACT=C327017W&dynform=18101_
Uempty
• Research Publications
The X-Force mission • Download the latest (and past) documents and
reports here:
• Monitor and evaluate the http://www.ibm.com/security/xforce/downloads.html
rapidly changing threat landscape
The IBM X-Force security professionals monitor and analyze security issues from a variety of
sources, including its database of more than 88,000 computer security vulnerabilities, its global web
crawler with over 25B cataloged web pages and URLS, international spam collectors, and millions
of malware samples collected daily.
The X-Force produces many thought leadership assets including the IBM X-Force Threat
Intelligence Quarterly report to help customers, fellow researchers and the public at large better
understand the latest security risks, and stay ahead of emerging threats. In addition to the quarterly
report, regular blogs are posted from SecurityIntelligence.com, as well as webinars and research
papers based on insights from our Managed Security Services business.
Uempty
IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to
rapidly research the latest global security threats, aggregate actionable intelligence and collaborate
with peers. IBM X-Force Exchange is supported by human- and machine- generated intelligence
leveraging the scale of IBM X-Force. To visit the platform and learn more, use the links below.
• Use the platform at xforce.ibmcloud.com
http://xforce.ibmcloud.com/
• Download the IBM X-Force Exchange datasheet
http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=SP&infotype=PM&htmlfid=WGD030
55USEN&attachment=WGD03055USEN.PDF
• Attend the webinar "(Security) Ignorance isn’t Bliss: 5 Ways to Advance Security Decisions with
Threat Intelligence“
http://securityintelligence.com/events/security-ignorance-isnt-bliss-5-ways-advance-security-de
cisions-threat-intelligence/#.VR2TjGOsN8E
• See how IBM X-Force Exchange can enable collaborative threat intelligence (Youtube,
00:02:37)
https://www.youtube.com/watch?v=d81MY8KIde4
Uempty
IBM operates one of the broadest enterprise security research, development and delivery
organizations in the world. This powerful combination of expertise is made up of the award-winning
IBM X-Force research and development team—with one of the largest vulnerability databases in
the industry and includes:
• Atlanta, US
• Boulder US
• Brussels, BE
• Hortolandia, BR
• Wroclaw, PL
• Brisbane, AU
• Tokyo, JP
• Bangalore, IN
• San Jose, CR
Uempty
(12) Security Research Centers:
• Almaden, US
• Atlanta, US
• TJ Watson, US
• Ottawa, CA
• Bangalore, IN
• Tokyo, JP
• Wrosclaw, PL
• Haifa, IL
• Herzliya, IL
• Zurich, CH
• Nairobi, KE
• New Delhi, IN
• Atlanta, US
• Bangalore, IN
• Costa Mesa, US
• Austin, US
• Detroit, US
• Raleigh, US
• Waltham, US
• Fredericton, CA
• Belfast, N IR
• Delft, NL
• Pune, IN
• Taipei, TW
• Singapore, SG
• Perth, AU
• Gold Coast, AU
Uempty
44%
of security leaders
33%
of organizations do not
expect a major cloud provider to suffer test their mobile apps
a significant security breach in the future
Source: November 2014, “Security for the Cloud and on the Cloud”, Security Intelligence.com
New technologies introduce new risks, in fact, businesses are adopting cloud and mobile
technologies at unprecedented rates. This influx of new innovation, technologies, and end-points
push more and more business transactions outside company walls and completely transform
enterprise security as we know it. As the traditional network perimeter around the data center
permanently dissolves, it is more difficult to defend company data from the increasing gaps in
security, and to verify that users accessing data are protected.
According to an article from SecurityIntelligence.com, 44% of security leaders expect a major cloud
provider to suffer a significant security breach in the future.
Source: November 2014, “Security for the Cloud and on the Cloud”, Security Intelligence.com
http://securityintelligence.com/security-for-the-cloud-and-on-the-cloud/
And according to a Ponemon study, 33% of organizations don’t even test their mobile apps!
Source: The State of Mobile Application Insecurity, 2014 Ponemon Institute Study
http://securityintelligence.com/mobile-insecurity/#.VbqirPlVhBc
Without dynamic protection, an organization may spend more time recovering from attacks than it
does preventing them. And those who do not prepare for change are leaving their companies
dangerously exposed.
Until recently, organizations have responded to security concerns by deploying a new tool to
address each new risk. We’ve observed one company was using 85 tools from 45 different software
Uempty
vendors! Now they have to install, configure, manage, patch, upgrade, and pay for dozens of
non-integrated solutions with limited views of the landscape. Costly and complex, these
fragmented security capabilities do not provide the visibility and coordination needed to stop today’s
sophisticated attacks.
Moreover, the skills and expertise needed to keep up with a constant stream of new threats is not
always available. In fact, 83% of enterprises report having difficulty finding the security skills they
need (2012 ESG Research).
As new risks emerge, the environment will grow more complex and the skills gap will grow even
wider.
Uempty
Lesson 2 IT security landscape in 2015
Uempty
Uempty
Every case of intentional use invites malicious actors who will try to gain access to systems and
data illegally. Utilizing IT resources for any purpose always introduce risks to the intended use
and pose threats to the participating assets and actors.
• Threats and fraud
Malicious actors pose threats to your IT operations in order to fraudulently access and retrieve
information (secrets, PII, monetary assets, and such). These threats use many different attack
vectors (network, application, physical, social) and are constantly evolving.
Uempty
The IT Security landscape in 2015 - Internet services and the vanishing network perimeter
Uempty
Internet services
• Marketplace / eCommerce
eBay, Amazon, Craigslist, and so on
Apple, Lenovo, Sony, Samsung, or any other direct brand connections
Ubiquitous inline advertising, information push to mobile devices
Expected to be available 24x7x365
• Financial services
Retail banks: BBVA, Nedbank, Bank Aljazira, and so on
Investment banks: J.P. Morgan, Deutsche Bank, Citigroup Inc., and so on
Internet “founded” banks such as PayPal
“Untraceable” forms of payments such as BitCoin
• Healthcare services
Connect with doctors, hospitals, and insurances to exchange information
Immediate access to records for authorized personnel
• Government services
Passports, driver’s licenses, vehicle registration, and ever-growing service portfolios
Makes it easier for every citizen to utilize these services whenever and wherever they are
Internet services
Today, Internet services are ubiquitous … they are expected to just “be there” … 365 days a year,
24 hours a day. We easily get aggravated when we have to wait more than a few minutes for a
service to respond, a shopping cart to update, or a set of data to download.
Uempty
Example: Tax returns are accepted online and can be completed within days compared to
weeks (in paper form).
Example: Vehicle registration renewal takes less than 10 minutes without leaving your home or
having to stand in line.
Example: Reporting a damaged public installation (a fence in the park) using the mobile
community app can be submitted by a citizen including a picture and GPS coordinates.
Uempty
Internet services
• Insurance services
Online/mobile submission of claims
Flexible, location-specific polices
• Communication and social media
Skype, Twitter, QQmobile, WeChat, WhatsApp … a “jungle” of communication apps
Facebook, LinkedIn, Instagram, and many other personal data display platforms
People advertise their own weaknesses, personal connections, and whereabouts
What “seem to look” real “must be” real; Do not trust
• Data and information transport, storage or gathering
WeTransfer, DropBox, Google, NSA, and so on
Look for 360 degree encryption (on your device … in transit … on their device)
• Virtual identity
Are you really who you say you are?
No authoritative source for authentication
Lately we’re seeing more one-time-password (OTP) and second factor (for example, biometric) authentication
• Remote control facilities and “Internet of Things”
SCADA networks, industrial control systems
Thermostats, washing machines, home security systems, light switches, cooking devices, cars, and so on
The status quo of IT security © Copyright IBM Corporation 2015
Internet services
Uempty
When participating in any online transactions people are relying on the “virtual identity” of their
transaction partners. This includes:
• Digital certificates from servers that are involved in any transaction (do we trust these server
certificates?)
• Spoofed Internet addresses (or slight differences in well known addresses, for example: GOOD
“www.amazon.co.uk” … BAD “www.amazon.co.uk.net”)
• User ID and password is no longer good enough for high risk transactions (although it may still
be accepted when you order a Pizza online)
• Banks, insurances, governments, and such are using more stringent methods like
second-factor authentication or one-time-passwords.
• Biometric authentication is becoming more common, too.
Besides regular Internet services we are seeing more and more connectivity appear in the
“Internet-of-Things” (IOT). We have to closely monitor:
• … how these devices are connected into our existing network infrastructure.
• … if and how these devices can be connected to individual personas.
• … how data traffic with these devices is being handled (encrypted/clear).
• … how these devices can be remotely controlled, for example, turn off the air condition in your
home, disable the brakes of an Internet enabled vehicle, and such.
Industrial control systems (ICS) are other forms of services that may not be openly accessible to
the public via the Internet, however, many of those large industrial complexes utilize Internet
connections for may control related capabilities. Accessing ICS installations with malicious intent
has become a serious threat in recent times, disabling cooling systems in nuclear power plants,
re-routing power grid distribution, altering chemical composition mixtures in oil refineries, etc.
Because most of these services are intended to be accessible by a wide public audience, there are
many avenues for malicious attacks in many forms.
It is important to understand that everyone, good or bad guys, who wants to interact with these
services has to use a “network infrastructure” of some sorts to get to the services.
Uempty
• Mainframe centered IT
Green Zone infrastructure
• Physical network model
• Directly connected
terminals to mainframe
Mainframe
• Batch mode
3270 terminals
How do all these Internet services relate to the networking infrastructure principles?
Well, it all started in the “glass-house”, where organizations first implemented centralized IT
infrastructures around a mainframe computer. The purely physical network had terminals hard
wired to the mainframe. If you wanted to access data on the mainframe, you had to use one of
these terminals in batch mode to either enter or retrieve data.
Access was controlled with IDs and passwords as well as physically, where administrative terminals
were only accessible on locked premises.
Uempty
• Client / Server
Green Zone Green Zone computing
• Physical network model
• Directly connected
workstations to
mainframe and servers
Mainframe
• Highly interactive
• Employees shielded in
Application Database separate network zone
servers servers
• Concept of router and
Employees firewall
Administrator Contractors
With the introduction of the client/server computing model we first saw a distribution of workloads
between so called servers and client workstations for user interactions.
Clients were still hard wired into a local physical network attaching them to centralized and
decentralized servers of all sorts and sizes. First firewall concepts were introduced that was able to
segregate network traffic. In the early stages of commercially used TCP/IP networks different
segments of networks were connected through routers, and traffic flows controlled through more
sophisticated firewalls. Employees were shielded from highly sensitive data in their own separate
network zones.
Organizations that had to establish remote network connections were using leased lines, which
represented private networks that were not accessible by anybody else from the outside. This way
banks built private networks with their branch offices, retail stores connected remote cash registers
with centralized computing systems, and so on.
Uempty
The next phase introduced the use of public network services (the Internet) for network
connectivity. This ubiquitous network technology began to replace most of the more proprietary
forms of network protocols very fast, and TCP/IP with all its capabilities and flaws started to take
over.
At this time networks were still relying on physical connections. Central and remote networks began
to utilize public network infrastructures to exchange information, and the need for encryption (data
at rest and data in transfer) was becoming more important.
Application models (service oriented architectures) now allowed flexible components being
distributed between application servers and even client based execution. Identity and access
management solution for user related access control became more and more wide spread.
Uempty
Looking at today’s network infrastructure we have added wireless connectivity of computer systems
and all sorts of mobile and “smart” devices that are capable of running a diverse mixture of
applications using one or many identities.
This new network infrastructure opens millions of new capabilities for businesses and governments
to deliver services of all kinds.
Put yourselves into the position of managing and controlling access to your organization’s IT
resources while empowering as many users as possible AND at the same time securing your
assets appropriately.
Uempty
At this time you have to realize that the device ultimately becomes the network perimeter.
Closely examine these security paradigms and define a strategy to understand and implement
them.
Uempty
The fact that the IT networks can be used by anyone with access to a computer requires proper
regulation for individuals, organizations, and the Internet as a whole.
Uempty
Uempty
IT-GRC capabilities
IT-GRC is a subset of GRC programs focused on implementing
technical, administrative, and security controls; these controls are
in place to satisfy various laws, regulations, and/or obligations
Administrative Controls require a formal and structured IT GRC
management approach to ensure that they remain relevant and
consistently address the security needs of the organization
Best
Technical Controls should be guided by a decision process that Practices
includes regulations, business needs, and an assessment of risks (ISO 27002,
CoBIT,
Security Controls are safeguards or countermeasures to avoid, COSO,
Regulations ITIL)
counteract or minimize security risks; to help review or design (HIPAA, Industry
security controls, these controls can be classified by several GLBA,
(PCI, NIST)
FISMA,
criteria SOX, NERC)
IT-GRC capabilities
Uempty
IT Governance
IT Governance
Uempty
IT Risk Management
Security risk exists when the following conditions are met
IT Risk Management
IT Risk Management covers activities that are related to overlooking and driving the security risk
posture of the enterprise IT environment. IT Risk Management can be divided into the following
disciplines:
• Risk Identification
Risk Identification refers to the ability to discover, recognize, and verify the existence of specific
risks. It also encompasses the structuring of risk by mapping it into clearly defined classification
schemes that can be specific to the industry or even to the risk taxonomy of an individual
organization.
• Risk Analysis
Risk Analysis refers to activities that are related to the categorization, qualification, or
quantification of the likelihood and impact of risks. It also covers the investigation of
connections, dependencies, and correlations among various risks.
• Risk Controlling
Risk Controlling covers the determination of activities that can be used to address risks. The
valid activities can range from risk acceptance over different approaches of risk mitigation to
risk transfer. Risk Controlling also includes the determination of costs for such activities and the
identification of potential risk and risk mitigation owners and actors. Another important part of
Risk Controlling is tracking the status of identified and agreed risk mitigation activities until their
closure.
• Risk Reporting
Uempty
Similar to Compliance Reporting, Risk Reporting refers to the ability to summarize analyzed risk
data and other risk-relevant information and to provide different levels of detail about the
security risk posture to different parts of the organization as input for further analysis and
processing.
Uempty
IT Compliance Management
• When an organization operates in accordance
with expectations, the process is called
compliance management
• For the area of IT security, the expectations are
formulized as requirements in the IT security
policies and can include the following items
Requirements from the individual mission statement
of an organization, such as like ethical behavior or
business conduct guidelines
Requirements that are derived from external laws and
regulations
IT Compliance Management
IT Compliance Management covers activities that are related to overlooking and driving the security
compliance state of the IT environment. IT Compliance Management can be divided into the
following disciplines:
• Compliance Monitoring
Compliance Monitoring refers to the observation of the environment to identify gaps between
the actual operations, the internal policies and standards, and the requirements as they derive
from external industry regulations, laws, and orders.
• Compliance Auditing
Compliance Auditing refers to the ability to match event sources and their event streams to
compliance reporting requirements for IT security and produce reports that are based on those
event streams, either periodically or on demand as part of an audit. Managing the association
between the event sources reports and the compliance reporting requirement is a key capability
of this component. Also, compliance requirements often impose record retention requirements
on audit data, which might be different from the retention requirements for the event streams in
the IT environment in general. From an IT operations perspective, the event streams are more
short lived, while data that supports compliance audits might have a life span of multiple years.
• Compliance Controlling
Uempty
Compliance Controlling stands for the continuous work that is contributed by IT security
compliance experts throughout the various parts of an organization, focusing mostly on two key
activities:
– Compliance support
– Compliance tracking
Compliance support refers to providing advice and guidance to users who are not necessarily
compliance experts, but whose activities are subject to compliance. For example, compliance
experts work with a business unit to help them prepare for an upcoming audit or to help during
an audit. Similar to an attorney of law in court, a compliance expert can help an audited
business unit with the preparation of paperwork that is requested by the auditors or in the
preparation of audit interview partners for their meeting with the auditors.
The other aspect of Compliance Controlling is compliance tracking, which covers the structured
documentation of follow-up activities after an audit and the progress of these activities until
closure. The activities are either determined by the auditor directly or are derived by an analysis
of audit results as those actions, which must be implemented to mitigate identified compliance
and security issues.
Compliance Controlling is a continuous process (before, during, and after the audit) and, hence,
requires substantial ongoing efforts of a well-functioning compliance regime in an organization.
• Compliance Reporting
Compliance Reporting refers to the ability to summarize analyzed event data and other
security-relevant information for the specific use of demonstrating compliance. Most often,
reporting is used to assess regulatory compliance or compliance with security service level
agreements and overall compliance performance of the IT environment. From an internal
security perspective, Compliance Reporting is most commonly used to demonstrate control
over security policies and to identify trends in security compliance.
Uempty
This proof can be achieved by continually and consistently collecting log information to
document and report on who accessed important IT resources, and when those accesses
occurred
Uempty
Uempty
Uempty
In the early 2000s, the industry observed basic threats such as worms and viruses. Attackers were
relatively unsophisticated and unorganized.
Over time, threats evolved to include spyware and rootkits. They became harder to find and detect.
Their objective was to conceal themselves deep in a target system and carry out stealth attacks
that evaded detection and maintained privileged access for future compromise. This new class of
attacks gave rise to a heightened focus on perimeter security with Intrusion Prevention Systems
(IPS) and Intrusion Detection Systems (IDS).
Now, advanced persistent threats and cyberware are serious menaces to security. Entire nation
states are involved in these types of threats. It’s not just enterprises being impacted but entire
governments. The threats are backed by well-funded, organized groups with specific goals in mind
and sophisticated tools to launch targeted attacks. Stuxnet is a good example of this new class of
threat trending in the security landscape. These attacks leverage the same exploit patterns as in
the past, but combine them across multiple attack vectors in a sustained lifecycle. Organizations
added reputation and sandboxing to defend against this formidable threat.
Looking forward, we will feel the impact of the “Any-to-Any” challenge. That is, any user on any
device, increasingly using any type of network connection, with any application, and on any cloud.
Many of these connections and interactions are happening simultaneously, leading to blended
business and personal applications on the same platform.
Mobility and cloud are profoundly expanding the attack surface. As the number of connections
increases and the volume of information being processed over the network grows, we are in a time
Uempty
when global, cloud-based intelligence and real-time analytics are increasingly critical to our network
defense.
_____________________________________________
Uempty
Attack types
XSS Heartbleed Physical Brute Misconfig. Watering Phishing SQLi DDoS Malware Undisclosed
access force hole
For more research visit the IBM X-Force Interactive Security Incidents site
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain,
politics and notoriety to attack your most valuable assets. Their operations are well-funded and
business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their
methods are extremely targeted ‒ they use social media and other entry points to track down
people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile,
negligent employees inadvertently put the business at risk via human error. Even worse, security
investments of the past can fail to protect against these new classes of attacks. The result is more
severe security breaches more often.
Note: The size of the circle indicates the estimated relative impact.
In the past three years, the amount of data records and variety of attacks have expanded to epic
levels.
• 2012: Near Daily Leaks of Sensitive Data
40% increase in reported data breaches and incidents
• 2013: Relentless Use of Multiple Methods
Uempty
800,000,000+ records leaked, while the future shows no sign of change
• 2014: “Insane” Amounts of Records Breached
42% of CISOs claim the risk from external threats increased dramatically from prior years.
https://www.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S
_PKG=ov33510&S_TACT=C327017W&dynform=18101_
Uempty
Where trade magazines tout advanced threats, the vast majority are not
Threat Type % of Incidents Threat Profile
Sophisticated tradecraft
Foreign intelligence agencies, organized crime groups
Advanced, National governments Well-financed and often acting for profit
Persistent Organized crime Equals less than Target technology as well as information
Threat / Industrial spies 10 percent Target and exploit valuable data
Mercenary Terrorist cells Establish covert presence on sensitive networks
Difficult to detect
Increasing in prevalence
Inexperienced-to-higher-order skills
Potential Impact
Where trade magazines tout advanced threats, the vast majority are not
This chart shows that the majority of threats that a typical organization will encounter are not the
so-called APTs, but rather much more minor disturbances. Although these disturbances have much
less impact than a targeted APT they must be dealt with to avoid or reduce potential exposure and
data loss.
This large amount of lower impact threats can distract from the sophisticated APTs than have the
potential to cause enormous damage.
In many cases you will find a very high amount of malicious activity based on low-impact threats to
mask a highly sophisticated exploit that exfiltrates the more valuable assets at the same time,
which makes it very hard for the security operations team in an organization to detect the advanced
threat in time.
Uempty
This chart documents the terrible reality that most organizations face today.
The upper two horizontal lines in this chart represent the activities of the bad guys. The chart shows
that it takes an attacker usually between seconds, minutes, and hours to initially compromise their
targets, and about the same amount of time to begin their data exfiltration after the compromise has
been successful.
On the mitigation side it takes the security operations group between days, weeks, and even
months to discover that there has been a compromise in their IT environment.
After the discovery it typically takes them another set of day, weeks, or months to contain and
remediate the situation.
Source:
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_
xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Uempty
The ultimate goal of a real-time Security Intelligence solution is to move the lower frame as far left
as possible. This means that the moment an attacker penetrates our perimeter with any kind of
malware the IT security operations group will know about it.
There are other IT security disciplines that can help organizations move the upper frame to the right
by making it harder for the attackers to a) gain a foothold in your organization, and b) exfiltrate data
after they managed an initial compromise. Those security disciplines can include, but are not
limited to, database encryption, masking, and activity monitoring as well as privileged identity and
access management.
Uempty
Why IT security
Sony estimates HSBC data Epsilon breach TJX estimates Lulzsec 50-day Zurich
potential $1B breach impacts 100 $150M class hack-at-will Insurance PLc
long term discloses 24K national brands action spree impacts fined £2.275M
impact – private banking settlement in Nintendo, CIA, ($3.8M) for the
$171M / 100 customers release of PBS, UK NHS, loss and
customers* credit / debit UK SOCA, exposure of
card info Sony … 46K customer
records
Why IT security
Sources
• Sony breach
http://www.search.sony.net/result/net/search.x?ie=utf8&site=&pid=ACsW7rd0W_Zt_QIz-sORfA
..&qid=rOX1wPP0JvM.&q=security+breach&msk=1#5
• HSBC breach
http://news.bbc.co.uk/2/hi/business/8562381.stm
• Epsilon breach
http://www.securityweek.com/massive-breach-epsilon-compromises-customer-lists-major-bran
ds
• TJX breach
TJX Companies, Inc. press release, 8/14/2007
http://www.businesswire.com/news/tjx/20070814005701/en
• Lulzec breach
http://www.reuters.com/article/2011/08/01/us-britain-hacking-lulzsec-idUSTRE7702IL20110801
• Zurich Insurance breach
(Financial Services Authority of Britain)
http://www.fsa.gov.uk/pubs/final/zurich_plc.pdf
Uempty
We know security has long been a top priority for CISOs and CIOs. Increasingly sophisticated and
costly advanced attacks, along with deteriorating security perimeters have raised the issue to the
view of CEOs and Boards. The adoption of cloud, mobile and big data technologies has increased
the potential attack surface. These trends combine to create an acute, growing need for
comprehensive, integrated security solutions.
Source: IBM C-Suite Study; 13,000 C-Suite executive were included in the IBM study.
According to IDC’s 2015 Study, “The State of the ‘C’ in CISO Study”, 42% of CISOs were, in fact,
reporting to their company's board of directors on a quarterly basis. This level of interaction
provides the open lines of communication necessary to ensure that an organization understands its
security capabilities and value delivered at the highest level.
Source: 2015 IDC Survey, “The State of the ‘C’ in CISO Study
Uempty
Lesson 3 Business and IT drivers that
influence security in an organization
Uempty
Definitions
• Business drivers • IT drivers
These drivers represent a relationship between the These drivers represent operational constraints in
IT organization and the rest of the business; they the general IT environment; for example, the
refer to business needs that must be supported by complexity of a system, including its environment,
the IT security infrastructure; they measure value, that is exposed to internal and external threats
risk, and economic costs that influence an presents risks that the organization must address
organization’s approach to IT security
The IT drivers represent technical considerations that
Value drivers determine the worth of assets of the can affect the trustworthiness of the IT environment
system to the business and of the business itself and the managed business systems as a whole
Risk drivers involve compliance, corporate structure, IT drivers are universal and must be considered within
corporate image, and the risk tolerance of the company the context of the business drivers in all efforts
Economic drivers determine productivity impact,
competitive advantage, and system cost
The combination of business and IT drivers represents the key initiatives for security management
Definitions
Uempty
• Asset value
From a business perspective, the asset value is directly related to the value of the business transactions that it
supports
Asset value can mean many different things for different organizations, including tangible and intangible assets
such as physical merchandise, research documents, or other intellectual capital, personal and private data,
people, and so on
Uempty
Uempty
Uempty
Uempty
• External threats
Security-related failures and incidents are caused by threats that are found outside the physical and logical
boundaries of the organization that operates and controls the IT system
These threats are also associated with technology or people; they seek to either penetrate the logical or
physical boundary, or to influence business or management processes from outside the logical or physical
boundary
One example of an external threat is a computer virus or worm that penetrates the physical or logical network
boundary; another example is an attacker, or someone who gained the ability to act as an insider, using
personal electronic credentials or identifying information
Uempty
An example of security exposure for service delivery occurs when IT operational processes cannot respond to
critical events in a timely manner; another example would be IT resilience processes that cannot recover from
a denial-of-service attack in a timely manner, resulting in a loss of capacity or response time for business
processes
An example of security exposure for service support is a situation in which the customer relationship processes
do not add, modify, or remove users from access control lists in a timely manner
Uempty
For example, any IT environment that is connected to the intranet or extranet is exposed to internal or
external threats or threat agents and requires specific security responses
A stand-alone facility represents the lowest complexity
A hosting facility with other systems and other firms represents a more complex environment
An environment with a larger number of systems, varied network access paths, or a complex architecture
increases the complexity of an IT environment
Uempty
• IT vulnerabilities
IT systems can contain vulnerabilities that are caused by many factors; they can occur because of
misconfiguration of a system itself, or because of software defects
Many vulnerabilities can go undetected for long periods of time; they can lead to so called zero-day
attacks when they are discovered and rapidly exploited
Usually, it is this discovery or disclosure that leads to the actual exploitation, which results in the actual
threat and risk to an organization; exploitation might also be because a function was used within a
system in an unintended way that compromises the system or underlying data
Uempty
Let us summarize
• We understand the major technology drivers
Mobile, BYOD, Big Data, Cloud, Social
• We observed the increasing number and intensity of attack vectors
Backed and researched by the IBM X-Force
• We examined the IT Security landscape in 2015 by looking into the following aspects
The variety of Internet services and the vanishing network perimeter
Various regulations, governance, privacy, and risk management aspects
The threat and fraud landscape
The reasons why IT Security has become an executive discussion
• We investigated business and IT drivers that influence IT Security in an organization
Let us summarize
Uempty
Lesson 4 Security Intelligence is at the center
of a comprehensive security portfolio
Uempty
Intelligence is the new defense -- it helps prevent threats faster and make more informed
decisions.
IBM Security helps clients gain valuable intelligence through a common and intuitive view that
combines deep analytics with real-time security intelligence.
Integration is the new foundation -- it puts security in context and automates protection.
IBM Security helps clients create an integrated security foundation through unifying existing tools
and infrastructures with new forms of defense in order to reduce complexity and lower the cost of
maintaining a strong security posture.
Expertise is the new focus -- it is essential to leverage global knowledge and experience to stay
ahead.
IBM Security helps clients achieve expertise through a more proactive and trusted source of truth
in order to stay ahead of emerging threats and risks.
Every organization needs a comprehensive enterprise security portfolio customized to their needs.
It needs to detect new threats, deploy security innovations and reduce the cost and complexity of IT
security.
In the next unit we will take a close look into the capabilities of such an IT Security portfolio.
Uempty
Let us finalize the first unit with a real world example of what it means to holistically address the IT
Security requirements for PCI-DSS.
Uempty
Firewall to Protect Cardholder Data Use5 and Update Anti-Virus Software Restrict Physical Access
IT Security Governance for PCI-DSS regulation and the role of Security Intelligence
The individual sections display the 12 high level PCI DSS requirements that every organization has
to address to claim compliance. The different IT Security disciplines listed in each of the categories
outline the broad spectrum of defenses that have to be in place.
Uempty
IBM PROFESSIONAL SERVICES • IBM SOFTWARE SOLUTIONS • IBM MANAGED SERVICES • IBM HARDWARE
Firewall to Protect Cardholder Data Use5 and Update Anti-Virus Software Restrict Physical Access
IBM Security QRadar IBM Security BigFix (Endpoint Manager) IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Network Intrusion Prevention IBM Security Strategy, Risk and Compliance Services
IBM OpenPages IBM Security QRadar
IBM Security Intrusion Prevention Monitor Access
IBM Managed Security Services
IBM Managed Security Services IBM Security Identity Manager
Secure Systems and Applications
No Default Passwords or Security Parameters IBM Managed Security Services
IBM Security BigFix (Endpoint Manager) IBM Security zSecure Audit
IBM Security Access Manager (WebSeal) IBM Security Network Intrusion Prevention IBM Security Guardium
IBM Security QRadar IBM Security AppScan IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Identity Manager IBM Security QRadar
IBM Security Federated Identity Manager Products IBM OpenPages
IBM Security Intrustion Prevention IBM Security QRadar Test Security Systems and Process
IBM Security Guardium
Restrict Access IBM Security BigFix (Endpoint Manager)
Protect Stored Cardholder Data IBM CyberSecurity Assessment and
IBM Security Identity Manager Response Services
IBM OpenPages IBM Security Access Manager IBM Data and Application Security Services
IBM Security Guardium IBM Security zSecure Admin IBM Security Network Intrustion Prevention
IBM Security Key Lifecycle Manager Products IBM Identity and Access IBM Security QRadar
IBM Security Intrusion Prevention Management Services IBM Security AppScan
IBM Data and Application Security Services
IBM Storage Manager Unique IDs Security Policy for Employees
and Contractors
Encrypt Transmission IBM Security Identity Manager
IBM Security Access Manager IBM Security Strategy, Risk and
IBM Security Access Manager for eBusiness (WebSeal)
IBM Security QRadar Compliance Service
IBM Security Access Manager (ISAM)
IBM DataPower IBM OpenPages
IBM Data and Application Security Services
IBM Data Encryption for IMS and IBM DB2 IBM Identity and Access Management Services
IT Security Governance for PCI-DSS regulation and the role of IBM Security Solutions
Every organization struggles to implement and maintain many IT Security solutions from many
different vendors, mostly because of the complexity and differences in those solutions as well as
the required manpower and skill sets to handle all of these.
This supplemental slide tries to depict how an organization can potentially tackle most of the PCI
DSS requirements with IT Security solutions from IBM.
Uempty
Unit summary
• Describe/define technology trends and IT security landscape in 2015
• List business and IT drivers that influence security-related business decisions
• Define a comprehensive security solution portfolio to address the holistic IT security requirements in
an organization
Unit summary
Uempty
Unit objectives
• Illustrate the integration between Security Intelligence and other IT Security domains to identify
important source data used to populate the Security Intelligence solution
• Describe how Security Intelligence can help detect and stop advanced threats
• Describe how Security Intelligence can help address organizational and regulatory compliance
• Describe how a Security Intelligence solution can be integrated into an overall enterprise security
architecture
Unit objectives
In this unit we describe how an organization can use a centralized Security Intelligence solution to
improve their overall security maturity by integrating capabilities from all security domains. We use
an example of a typical attack to demonstrate how important it is to consolidate data across many
security domains.
Next, we examine how a Security Intelligence solution can help mitigate advanced threats by using
different solution components that cover different phases from vulnerability management, risk
management, security information and event management, and incident forensics.
Finally, we explain how an organization can plan and design a Security Intelligence solution using
an existing enterprise security architecture method.
Uempty
Lesson 1 Analyze source data that feeds the
Security Intelligence solution
Uempty
When planning your Security Intelligence operations you have to examine every aspect of the
holistic security portfolio or your enterprise security architecture and decide whether to collect
and include data from each of the security domains or not. Even if you decide not to include a
particular subset of data you have to properly document and explain your decision.
Addressing individual security domain solutions without integrating them into the bigger picture will
not get you past a basic security posture and can only reduce your overall risk profile slightly.
Let us examine the different maturity categories of an enterprise security program and how an
organization can improve its overall maturity.
Uempty
Automated Optimized
Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Basic
Manual
Organizations
employ perimeter Proficient
protection, which Security is layered
regulates access and into the IT fabric and
feeds manual reporting business operations
Reactive Proactive
This quadrant model depicts a path that every organization should go through in order to achieve
an optimized enterprise security program.
First, many organizations focus on what we term the Basic approach; they deploy perimeter
protection and feed manual reporting, very reactive in nature.
As these organizations develop more sophisticated postures on security they must become both
automated and proactive in their approach.
At the Proficient stage they implement a so called “security in depth” posture. Security is layered
into the IT fabric and business operations. All layers, network zones, IT systems, and applications
provide sophisticated security mechanisms and artifacts that can be deployed and configured in an
automated fashion. But still, they are divided in silos and managed separately.
Finally, with the deployment of predictive and automated security analytics, the organization can
move towards a highly optimized posture. Here, logs, flows, and events from the distributed
security mechanisms and artifacts are brought together. This collected data can now be augmented
with additional data about assets, vulnerabilities, and actual world-wide threat data to provide
centralized Security Intelligence.
In the next slide we depict how Security Intelligence can advance the maturity of the different
security domains.
Uempty
Virtualization security
User provisioning Application firewall
Access monitoring Asset mgmt
Proficient
Pr Access mgmt Source code
Data loss prevention Endpoint / network
Strong authentication scanning
security management
Network, Mobile,
Identity and Access and Endpoint
Data Security Application Security
Management Protection and Fraud
Protection
In the Proficient state of maturity organizations begin to integrate solutions and teams by creating
and working with a documented enterprise security architecture. This architecture is based on a
proper risk assessment that has been conducted with all involved organizational business and IT
departments.
• The organization uses a partially automated user provisioning and access management
solution that is tied to the HR IT software to automatically feed new identities and remove the
ones who left the organization. Business application owners are responsible to administer the
proper accesses.
Uempty
To control access to “high risk” or “high value” resources the organization deploys strong
authentication (biometric, two-factor, and so on) methods. The centralized identity and access
management solution is capable of collecting consolidated logs and create focused reports for
compliance.
• According to the organization’s asset classification (part of the risk profile and enterprise
security architecture document) access to data is being strictly monitored, especially for
privileged users. The data access management (DAM) solution carefully logs all accesses and
reports can be created at will to address data loss scenarios and compliance reporting. In
addition, the organization deploys data loss prevention (DLP) solutions.
• Application security is expanded into the development area where all source code is now
scanned for vulnerabilities before it is being released for production.
In addition, the organization deploys application firewalls (smart firewall appliances that are
able to scan the payload for specific web application patterns).
• The organization applies a centralized approach to endpoint and network security
management. All network events are consolidated on one console or multiple consoles that are
being managed by a single group.
A similar approach is implemented for endpoint management where a common endpoint policy
defines accepted standards and rules and endpoint management software enforces them. That
software also reports if endpoint devices are no longer policy compliant and either returns the
endpoints to a compliant state or denies access to the enterprise network. In addition,
virtualized environment security is being handled by a centralized group of experts.
The organization also implements mandatory asset management for all IT assets and begins to
log vulnerabilities, compliance state, location and configuration information.
In the Optimized state of maturity organizations begin to reap the benefits of Security Intelligence
because they deploy solutions that are able to collect, process, and correlate log and event data
from many disparate IT systems that do not immediately seem to be connected.
• Furthermore they use role based analytics when examining access log information to
understand if data has been accessed outside of usual behavior patterns. Together with identity
governance (the policy-based centralized orchestration of identity management and access
control) the organization can better support enterprise IT security and regulatory compliance.
A separate privileged user control management solution is put into place to help reduce misuse
of privileged IDs and lock down the ability for attackers to gain privileged identities altogether.
• Data governance and data flow analytics help “follow the critical” assets and locate them. This
is especially important if the data is accessed, decrypted, sent to external parties, and such, by
users who don’t have a legitimate reason to do so., or this happens in a way or at a time of day
that clearly depicts misuse.
• The complete application engineering process is conducted in a policy based secured fashion.
In addition to source code scanning and final application scanning the organization also reports
vulnerabilities of existing applications to the asset management system, which makes it
possible for the Security Intelligence solution to include those in its correlation processes.
Uempty
Fraud detection on endpoints scans for the slightest deviations in behavioral patterns of
standard applications, for example, if an attacker sends a malicious PDF file that instructs
Acrobat Reader to perform mysterious tasks. The solution then blocks access for this
application and immediately sends those reports and logs into the Security Intelligence solution
for further investigation and forensic analysis.
• Advanced network monitoring includes layer 7 application traffic and the capture of complete
data packets if necessary to conduct large scale forensic investigations and data mining.
By bringing all these data sources together in a Security Intelligence solution and by combining this
enterprise owned forensic data with publicly available real-time threat research data an
organization can implement an optimized holistic security portfolio.
Uempty
Here is a more detailed slide on what IBM can offer to solve these issues.
The key is the deployment of Security Intelligence with QRadar solutions as the driving factor to
reach the optimized state.
This information should be used for further research with students into extended capabilities of the
individual security domains and their integration aspects.
Uempty
Designer Malware
Spear Phishing
Persistence
Backdoors
• Increasingly
asingly sophisticated
sophisticate attack methods • Constantly changing infrastructure • Struggling security teams
include social engineering, spear phishing,
watering holes, and so on • Too many security products from multiple • Too much data from point products with limited
vendors; costly to configure and manage; no manpower and skills to manage it all make it
• Disappearing perimeters mean you cannot correlation of events; no centralized reporting almost impossible to realize an attack pattern
rely on network based protection alone or connection
• Often inadequate and ineffective tools
• Privileged access methods (stolen • Increasing compliance demands need to be
credentials) used in attacks require you to • Sophisticated attack methods can only be managed and monitored
monitor your valuable assets more closely detected by combining events from
infrastructure (network, servers, endpoints),
identity, applications, databases, and so on
While keeping in mind that the strength of Security Intelligence is to combine and correlate many
security data sources we will investigate how the current threat landscape shapes our Security
Intelligence strategy. Try to keep in mind all the different security domains that are involved even in
narrow attack vectors.
• Escalating attacks
Despite reports that show the majority of network breaches are due to a lack of basic network
protection efforts, there is a growing base of sophisticated attackers pursuing targets of choice
in order to steal intellectual property, trade or national secrets, and you need the ability to detect
and defend against these bad guys.
• Increasing complexity
Few people would disagree that everything is just getting more complex as capabilities brought
about by the Internet invade all aspects of our corporate and personal lives. Almost nothing
exists in a vacuum anymore.
• Resource constraints
Considering resource constraints, the issue has transcended a lack of budget to also
incorporate a lack of skill. Even if you have the funding to add necessary staff, it doesn’t mean
you’re going to find any qualified applicants without conducting a broad-ranging search. And the
few well trained SMEs have a hard time to properly realize a complex attack pattern through
manual examination.
Uempty
Some reminders
Threat Landscape:
• Vulnerabilities increasing by rate of 12 / day
• Automated exploit kits appear within weeks of new disclosures
• Persistent and stealthy attacks continuously search chosen targets for weaknesses
IT Infrastructure:
• Mobile device integration multiplies complexity of endpoints
• Evolving networking and connectivity standards
• Rapid growth of Web applications
• Compliance is not enough
• Routine tactics only appease auditors
• Protecting business assets requires continuous monitoring
• Complete spectrum of tools required to safe-guard networks
These dynamics contribute to a whack-a-mole scenario where it’s impossible to totally secure the
network.
Uempty
Employee using
corporate laptop at
home …
Employees bring their infected laptops in to work the next day …
Here is an example – a watering hole attack that took place in 2012 and was subsequently
analyzed by the IBM X-Force Research team.
Attack vectors
• Fraudulent malware download (maybe as part of a JPG, a PDF, or just by visiting a website that
downloads a malicious JavaScript) that is not detected by anti-virus software
• Spear Phishing – luring people to click on something “interesting”
• Network attack vectors – command and control malware uses “unusual ports” on the client’s
machine to communicate with remote control server
The next slides look at the timeline, the actual vulnerabilities that were involved, and the malicious
communication scheme.
Uempty
Hidden iFrame
Uempty
Variant A Variant B
Uempty
Example: After being infected, compromised hosts made contact with a remote
command and control server in China
• Infected machines attempt to communicate with one of two Chinese command and control (C&C)
servers, 58.64.155.57 and 58.64.155.59, on ports 53, 80, and 443
• If communications are successfully established, the C&C server gains complete, real-time control of
a system on the protected network
• The malware, a remote access Trojan, allows a remote attacker to access data, log system activity,
capture key logs, take screenshots, activate the system’s camera, and record from the system’s
microphone
• The remote attacker can also drop additional downloads and programs on the controlled machine,
and use it as a launching point for further attacks
Security Intelligence and Operations © Copyright IBM Corporation 2015
Example: After being infected, compromised hosts made contact with a remote command and control server in China
Uempty
Example: If the attack is not detected fast enough, the infected machine
becomes the new launch point of deepening the penetration
• The infected machine “legitimately” distributes more malware inside the enterprise network to gain a
stronger foothold if detected
• The malware’s first goal is to obtain privileged user identities, which it then uses to gain access to
valuable assets inside the enterprise network
• Most attacks utilize ports and scans that are usually not executed from either the infected machines
or user IDs
• After valuable assets are found, they are slowly exfiltrated to not raise any suspicion
Example: If the attack is not detected fast enough, the infected machine becomes the new launch point of deepening the
penetration
Uempty
Control: public threat research feeds the recognized IP addresses and ports into a black list of
malicious hosts that can be incorporated into the organizations Security Intelligence solution
The correlation of all these single events in almost real-time enables an organization to detect and
stop threats (hopefully) before they can be exploited and cause any damage.
Uempty
Web pag
page Business IP reputation covering
attacker, industry, and region
text process data
Comparisons
Optimized Emaiiill an
Email and
nd Customer
Anomaly detection
maturity social activity transactions
Uempty
1 Break
ak-
k-in
2 Latch
h-
h-on
3 Expand
4 Gather
5 Exfiltrate
E
In the example on the previous slides we have learned about the typical “attack chain”.
And with all the knowledge about the different security domains we now understand that we have to
design a proper security solution that can help us prevent some of the break-ins, and quickly
detect the remaining ones to devise proper responses to mitigate the overall impact to our IT
operations.
In this course we focus on the Detect phase … so let us take a closer look at how we can best
detect and stop advanced threats.
Uempty
Lesson 2 Detect and stop advanced threats
Uempty
3
React in real-time to exploits
Correlate logs, events, network flows, identities, assets, vulnerabilities, configurations, and add
context
Use automated solutions to make data actionable by existing staff
So let us do a quick re-cap of what we have said so far. The cost of cyberattacks is increasing,
threats are escalating and becoming more complex, perimeter defenses are no longer sufficient,
and new techniques like flow analysis, anomaly detection, and vulnerability management are
needed. So we’ve defined the problem, and some capabilities that can help, but exactly what do we
do about it? What are the best practices that should be followed?
• The first best practice is proactive in nature. Identify, predict, and prioritize your security
weaknesses so you can take actions to prevent a breach. Use resources such as X-Force and
the US National Vulnerability Database (https://nvd.nist.gov/) to gather threat information,
address vulnerabilities, and risks based on priorities, add network context, and manage device
configurations to improve security (for example, remove ineffective firewall rules, add new rules
that are more effective).
• Use tools that can detect unusual behavior for follow-up. Deploy solutions that can find network
anomalies and provide visibility to network flows for the reasons mentioned earlier.
• Use Security Intelligence solutions that use integrations, automation, and context to provide a
complete view of what is happening in your network. Automation is key so that you can utilize
existing staff more efficiently, and reduce the large amount of collected data into a small number
of events that can be acted upon by existing personnel.
Uempty
Security Intelligence
--noun
The real-time collection, normalization and
analytics of the data generated by users,
applications, and infrastructure that impacts
the IT security and risk posture of an
enterprise
Several years ago, we introduced the term Security Intelligence to describe the value
organizations can gain from their security data by treating and analyzing security information in
much the same way they do the outputs produced from other business functions, such as
marketing. The term has caught on!
We’re seeing this term being used more and more by customers, vendors, and industry experts -
but what’s interesting is how no one seems to be describing the same concept.
To avoid confusion, we are explicitly stating our own definition. So here it is:
Security Intelligence (SI) is the real-time collection, normalization, and analysis of the data
generated by users, applications and infrastructure that impacts the IT security and risk posture of
an enterprise.
The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces
risk and operational effort for any organization, no matter what their size.
Data collected and warehoused by security intelligence solutions includes logs, events, network
flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations
and external threat data.
Security Intelligence provides analytics to answer fundamental questions that cover the full
“before-during-and-after” timeline of risk and threat management.
Uempty
Customer reference
Equifax, a large credit reporting agency, started working with Q1 shortly before it was bought by
I.B.M. With 572 million consumer records in its data centers, Equifax must stay at the leading edge
of security technology, said Tony Spinelli, its chief security officer. He said security was a
never-ending race to stay ahead of modern hackers, whom he called “artful and creative guys.”
The appeal of IBM’s strategy, Mr. Spinelli said, is that it focuses on “security intelligence.” The
traditional approach to security, he explained, has focused on “detection and reaction.” But today,
he added, the need is for automated tools that mine data flows to spot threats and issue alerts to
security professionals.
Uempty
• Gain visibility over the organization’s security posture • Automatically detect threats with prioritized workflow to
and identity security gaps quickly analyze impact
• Detect deviations from the norm that indicate early • Gather full situational awareness through advanced
warnings of APTs security analytics
• Prioritize vulnerabilities to optimize remediation • Perform forensic investigation reducing time to find the
processes and close critical exposures before exploit root cause; use results to drive faster remediation
Securing today’s businesses requires a new approach. Companies need to gain insights across the
entire security event timeline.
Our IBM Security Intelligence solution helps customers react and respond to exploits as they occur
in a network. But we also provide much needed value to customers as they seek to predict and
prevent incidents in the first place through our solutions that help to model risk, evaluate
configurations and prioritize vulnerabilities.
To IBM, Security Intelligence can be characterized in two ways. First, we describe Security
Intelligence as the result of advanced analytics. It’s the wisdom gained from reviewing every
available bit of data and normalizing, correlating, indexing, and pivoting it to discover the dozen
things your team needs to investigate as soon as possible. Alternatively, we use Security
Intelligence to characterize the iterative process of eliminating false positive results by continuously
tuning the system analytics and rules to remove an increasing number of interesting but
non-threatening incidents.
Adding QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Incident Forensics
modules to the core SIEM engine improves accuracy and provides context throughout the entire
security event timeline – from detection and protection through investigation and remediation.
Working together, these solutions can help you both reduce exposures and recognize attacks as
early as possible. Think back to the best practices discussion we had a few minute ago.
Uempty
QRadar SIEM consolidates log source event data from thousands of devices endpoints and
applications distributed throughout a network. It performs immediate normalization and correlation
activities on raw data to distinguish real threats from false positives. As an option, this software
incorporates IBM Security X-Force Threat Intelligence which supplies a list of potentially malicious
IP addresses including malware hosts, spam sources and other threats. QRadar SIEM can also
correlate system vulnerabilities with event and network data, helping to prioritize security incidents.
Uempty
QRadar Vulnerability Manager proactively discovers network device and application security
vulnerabilities, adds context and supports the prioritization of remediation and mitigation activities.
It is fully integrated with the QRadar Security Intelligence platform, and enriches the results of both
scheduled and dynamic vulnerability scans with network asset information, security configurations,
flow data, logs and threat intelligence to manage vulnerabilities and achieve compliance.
QRadar Vulnerability Manager helps you develop an optimized plan for addressing security
exposures. Unlike stand-alone tools, the solution integrates vulnerability information to help
security teams gain the visibility they need to work more efficiently and reduce costs. It is part of the
QRadar SIEM architecture. It can be quickly activated with a licensing key and requires no new
hardware or software appliances.
Uempty
Network topology
Threat simulations
QRadar Risk Manager provides three key areas of value that build on top of the QRadar SIEM
value proposition:
• Network topology visualization and path analysis
• Network device optimization and configuration monitoring
• Improved compliance monitoring and reporting
A key area to emphasize is the ability of the product to risk-prioritize vulnerable machines based on
network reachability, and to provide detailed device configuration information that can be used to
quickly shut down network paths that attackers may use to exploit vulnerabilities. This is key, as
many vulnerabilities either cannot be rapidly remediated due to change windows or technological
limitations, or there may be no remediation available (many vulnerabilities never have patches
available). In either case, the ability to rapidly pinpoint the precise firewall rule(s) that enable the
attack path is key.
Uempty
QRadar Incident Forensics allows you to retrace the step-by-step actions of a potential attacker,
and quickly and easily conduct an in-depth forensics investigation of suspected malicious network
security incidents. It reduces the time it takes security teams to investigate offense records, in many
cases from days to hours—or even minutes. It can also help you remediate a network security
breach and prevent it from happening again.
The solution offers an optional QRadar Packet Capture appliance to store and manage data used
by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any
number of these appliances can be installed as a tap on a network or sub-network to collect the raw
packet data.
Uempty
Incident Forensics
Log Management
Analysis of individual
systems
Uempty
packet
Internet/
Competitive solutions: session oriented, some only capture a subset
intranet
of each flow and index only the metadata—not the payload.
Uempty
Security devices
S
Correlation
• Logs/events Suspected
Servers and mainframes
S
incidents
• Flows
• IP reputation
Network and virtual activity
G
• Geographic location True offense
Data activity
Offense identification
• Credibility
Application activity Secure archive • Severity
• Relevance
Configuration information A
Activity baselining and
anomaly detection
• User activity
Vulnerabilities and threats
• Database activity
• Application activity
Users and identities • Network activity dded
Embedded d
ence
e
intelligence
Global threat intelligence
G
Security Intelligence
igence and Operations © Copyright IBM Corporation 2015
Harness security-relevant information from across the organization. Use real-time big data
analytics to provide context to help detect threats faster, identify vulnerabilities, prioritize risk, and
automate compliance activities.
For security threat management the key challenge is to reduce millions of logs to actionable
intelligence that identify key threats. Traditional first Gen SIEMs achieve this by leveraging
correlation – ‘five failed logins followed by a successful login’ for example – to identify suspected
security incidents. Event correlation is a very, very important tool, but it’s not enough.
There are two problems. First, consider a 100k to 1 reduction ratio of events to correlated incidents.
On the surface, this sounds impressive, but for companies generating 2 billion events per day (and
you don’t need to be a massive company to do that), it will leave that company’s security team with
20,000 incidents per day to investigate. Traditional SIM correlation can’t get the data reduced
enough and, of course, Log Managers can’t even get a 10,000 to 1 reduction ratio. Secondly, an
exclusive reliance on event correlation assumes that the criminals will not figure out ways to disable
or bypass logging infrastructure – but that’s practically their entire focus and you can’t correlate logs
that are not there. This limitation results in missed threats or a very poor understanding of the
impact of a breach.
QRadar vastly expands the capabilities of traditional SIEMs by incorporating new analytics
techniques and broader intelligence. Unlike any other SIEM in the market today, QRadar captures
all activity on the network for assets, users and attackers before, during, and after an exploit and
analyzes all suspected incidents in this context. New analytical techniques like behavioral analysis
are applied. QRadar notifies analysts about ‘offenses’ where an “offense” is a correlated set of
incidents with all of the essential, associated network, asset, vulnerability and identity context. By
Uempty
adding business and historical context to suspected incidents and applying new analytic
techniques, massive data reduction is realized and threats otherwise missed will be detected.
IBM delivers real-time correlation and anomaly detection across a distributed and scalable
repository of security information enable more accurate security monitoring and better visibility for
any organization, small or large.
Uempty
Embedded
mbedded intelligence of QRadar directs focus for investigations
Suspected
incidents
True offense
Directed forensics investigations
Embedded
intelligence
Security
rity Intelli
Intelligence
igge
ennc
ce and
an
nd Operations
Operat
Op
Oper ati
tio
ions
ions © Copyright IBM Corporation 2015
We now have the forensic ability to use collected data to recover the details that are critical to a
much deeper and faster investigation.
Uempty
• Risk assessment support through network topology awareness in combination with vulnerability
information
Investigate potential risks due to network topology and vulnerabilities
Focus on the “important and valuable” assets that need protection and do not flood the Security Intelligence
system with useless data
Uempty
Lesson 3 IT security governance and
compliance
Uempty
You can see how much the leadership of an organization has to focus on governance and
compliance issues.
Repeatedly failing an audit usually encompasses fines and legal exposure. That’s why a constant
stream of focused reports can help the IT leadership team to stay in control of policy and guidelines.
And what IT subsystem is better suited to collect a large amount of compliance related data and
report on it than the Security Intelligence solution.
Uempty
IBM PROFESSIONAL SERVICES • IBM SOFTWARE SOLUTIONS • IBM MANAGED SERVICES • IBM HARDWARE
Firewall to Protect Cardholder Data Use5 and Update Anti-Virus Software Restrict Physical Access
IBM Security QRadar IBM Security BigFix (Endpoint Manager) IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Network Intrusion Prevention IBM Security Strategy, Risk and Compliance Services
IBM OpenPages IBM Security QRadar
IBM Security Intrusion Prevention Monitor Access
IBM Managed Security Services
IBM Managed Security Services IBM Security Identity Manager
Secure Systems and Applications
No Default Passwords or Security Parameters IBM Managed Security Services
IBM Security BigFix (Endpoint Manager) IBM Security zSecure Audit
IBM Security Access Manager (WebSeal) IBM Security Network Intrusion Prevention IBM Security Guardium
IBM Security QRadar IBM Security AppScan IBM OpenPages
IBM Security BigFix (Endpoint Manager) IBM Security Identity Manager IBM Security QRadar
IBM Security Federated Identity Manager Products IBM OpenPages
IBM Security Intrustion Prevention IBM Security QRadar Test Security Systems and Process
IBM Security Guardium
Restrict Access IBM Security BigFix (Endpoint Manager)
Protect Stored Cardholder Data IBM CyberSecurity Assessment and
IBM Security Identity Manager Response Services
IBM OpenPages IBM Security Access Manager IBM Data and Application Security Services
IBM Security Guardium IBM Security zSecure Admin IBM Security Network Intrustion Prevention
IBM Security Key Lifecycle Manager Products IBM Identity and Access IBM Security QRadar
IBM Security Intrusion Prevention Management Services IBM Security AppScan
IBM Data and Application Security Services
IBM Storage Manager Unique IDs Security Policy for Employees
and Contractors
Encrypt Transmission IBM Security Identity Manager
IBM Security Access Manager IBM Security Strategy, Risk and
IBM Security Access Manager for eBusiness (WebSeal)
IBM Security QRadar Compliance Service
IBM Security Access Manager (ISAM)
IBM DataPower IBM OpenPages
IBM Data and Application Security Services
IBM Data Encryption for IMS and IBM DB2 IBM Identity and Access Management Services
Every organization struggles to implement and maintain many IT Security solutions from many
different vendors, mostly because of the complexity and differences in those solutions as well as
the required manpower and skill sets to handle all of these.
At this time consider the areas where the Security Intelligence solution can provide input and
reports for compliance related activities.
Uempty
Reporting in QRadar
• A QRadar SIEM report is a means of scheduling and automating one or more saved searches
• QRadar SIEM reports perform the following tasks
Present measurements and statistics derived from events, flows, and offenses
Provide users the ability to create custom reports
Can brand reports and distribute them
• Predefined report templates serve a multitude of purposes, such as the following examples
Regulatory compliance
Authentication activity
Operational status
Network status
Executive summaries
• Regulatory coverage
HIPAA: Health Insurance Portability and Accountability Act
COBIT: Control Objectives for Information and Related Technology
SOX: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
PCI: Visa Payment Card Industry Data Security Standard
GLBA: Gramm-Leach-Bliley Privacy Act
FISMA: Federal Information Security Management Act
NERC: The North American Electric Reliability Council
GSX: Government Secure Extranet
Reporting in QRadar
Uempty
Reports tab
You can search and sort report templates in a similar way as events and flows
Reports tab
You can manage your compliance related reports with the rest of the operational reports. They can
either be run on an automatic schedule or manually on request.
Uempty
Lesson 4 Security Intelligence and enterprise
security architecture
Uempty
What is an architecture?
• An architecture takes into consideration the overall environment in which the system (here: IT
system) will operate
• It lays out all the elements of the IT system and their relationships
• In order to create an IT architecture, every organization should follow well accepted rules and
guidelines
What is an architecture?
The British Standard 7799 that preceded the International Organization for Standardization
27001/27002:2013 (ISO/IEC 27001/27002:2013) is the most widely recognized security standard in
the world. The standard started in 1992 as a Code of Practice that evolved into the British Standard
7799 in 1995. The last major publication was in May 1999, an edition that included many
enhancements and improvements over previous versions. When it was republished in December
2000, it evolved into the International Organization for Standardization 17799 (ISO/IEC 17799).
17799 was republished again in 2005 as ISO/IES 17799:2005(E) with more revisions. In 2007, the
name of ISO17799 was, without further amendment, adapted to the new ISO/IEC numbering
scheme for information security management standards and is now identified as ISO/IEC
27002:2013.
ISO/IEC 27002:2005 is comprehensive in its coverage of security issues. It contains many control
requirements, some of which are extremely complex. Compliance with ISO/IEC 27002:2005 is not
a trivial task, even for the most security-conscious of organizations.
_____________________________________________
COBIT is a framework that was created by the Information Systems, Audit, and Control Association
(ISACA) and the IT Governance Institute (ITGI) in 1996. It is an internationally accepted framework
that is based on defining the controls and processes that bridge the gap between the business and
the Information Technology view of information security. The framework has gone through multiple
releases over time. The latest version, Version 5, was published in 2012.
Uempty
TOGAF, a standard from The Open Group, is an architecture framework that provides methods and
tools for assisting you with the acceptance, production, usage, and maintenance of an enterprise
architecture. TOGAF is based on an iterative process model that is supported by preferred
practices and a reusable set of existing architecture assets. TOGAF helps practitioners avoid being
locked into proprietary methods, use resources more efficiently and effectively, and realize a
greater return on investment (ROI). First developed in 1995, TOGAF was based on the US
Department of Defense Technical Architecture Framework for Information Management (TAFIM).
The Open Group Architecture Forum developed successive versions of TOGAF at regular intervals
and published them on The Open Group public website at:
http://www.opengroup.org
_____________________________________________
The O-ESA is a policy-driven security architecture that places this architecture in the context of a
larger enterprise security program and describes the major elements of an ESA: Governance,
Technology Architecture, and Operations.
An enterprise security architecture must be created at the level of the overall corporation, and thus
in relationship with the enterprise architecture, the corporate risk management guidelines, and IT
governance as defined within the organization. As such, the ESA is the part of an enterprise
architecture that defines how to fulfill the objectives of preserving the availability, integrity, and
confidentiality of an organization’s information.
Enterprise security architecture is the specialized framework for fulfilling these objectives while it
satisfies the security demands placed on the IT service organization by its customers. It includes all
Uempty
aspects of security governance, security technology architecture, and security operations that are
required to protect the IT assets of the enterprise.
Uempty
The O-ESA Enterprise Security Program is expanded into four concentric rings of responsibility:
• Overall Program Management responsibility in the outer ring
• Governance responsibility in the second ring
• Architecture, or Technical Architecture, in the third ring
• Operations responsibility in the inner ring
Each ring identifies key components and processes that fall within that responsibility domain. The
components of each ring represent deliverables that further narrow the definition of what must be
provided by the inner rings. The Requirements, Strategy, Planning roadmaps, Risk Management
assessments, Education and Awareness, and the Ongoing Program Assessment from the outer
Program Management ring narrow the definition of what must be provided in the governance,
technology, and the architecture rings.
More information about The Open Group O-ESA can be found here:
https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12380
Uempty
• Principles
Basic assumptions and beliefs that provide overalll
security guidance
• Policies
The security rules that apply in various control
domains
• Standards, Guidelines, and Procedures
The implementation of the policies through
technical requirements, recommended practices,
and instructions
• Enforcement
The processes for ensuring compliance with the
policies
• Ongoing Assessment (audit)
The process of reviewing security activities for
policy compliance
O-ESA Enterprise Security Program (© The Open Group)
Uempty
Uempty
Uempty
Defining an enterprise security architecture is not a one-time activity. Setting the foundation takes
the most time and effort, but after it is defined, it requires regular updates that are driven by the
changes in business requirements, possibly new threats, or disruptive changes in technology.
Although the CISO office cannot play an active role in all security-related activities in an
organization, it must own the Enterprise Security Program and participate as a stakeholder in the
related activities.
In the O-ESA Enterprise Security Program Framework the CISO office must fulfill its role in several
activities, and this role varies depending on the type of activity.
These are the security activities where the CISO office should play a role.
Uempty
Defining an enterprise security architecture is not a one-time activity. Setting the foundation takes
the most time and effort, but after it is defined, it requires regular updates that are driven by the
changes in business requirements, possibly new threats, or disruptive changes in technology.
Although the CISO office cannot play an active role in all security-related activities in an
organization, it must own the Enterprise Security Program and participate as a stakeholder in the
related activities.
In the O-ESA Enterprise Security Program Framework the CISO office must fulfill its role in several
activities, and this role varies depending on the type of activity.
These are the security activities where the CISO office should play a role.
Uempty
Unit summary
• Illustrate the integration between Security Intelligence and other IT Security domains to identify
important source data used to populate the Security Intelligence solution
• Describe how Security Intelligence can help detect and stop advanced threats
• Describe how Security Intelligence can help address organizational and regulatory compliance
• Describe how a Security Intelligence solution can be integrated into an overall enterprise security
architecture
Unit summary
Uempty
Unit objectives
• Discuss the high level steps needed to design and implement a Security Intelligence solution
• Describe the detailed activities needed to design and implement a Security Intelligence solution
Unit objectives
Designing a Security Intelligence solution involves much more than documenting how to install and
configure a Security Intelligence software product. In this unit we introduce a design methodology
that covers all steps from information gathering to specifying the required maintenance on the
solution. The major steps of the methodology will first be explained, after which the detailed
activities of each major step will be discussed.
Uempty
Lesson 1 Security Intelligence solution design
high level process
Uempty
2. Design the IT Security architecture for the Security Intelligence solution. The architectural
design must support the functional requirements for the Security Intelligence product. This step
is still not depending on a Security Intelligence software product. Instead the architectural
design relies on the functional requirements and how they can be met using the available IT
infrastructure. Like: types of data that must be collected and archived, alerting and reporting
mechanisms, communication protocol requirements, etc.
3. Implement and deploy the Security Intelligence solution. once the architectural design has been
approved, the search can start to find a software solution that meets all requirements set out by
the architectural design. Practice learns that the architectural design in the end will be adjusted
in minor details to represent the possibilities of the selected software product.
4. Design operational processes. Once the Security Intelligence solution is deployed successfully,
processes must be designed to maintain the solution and keep it operational. But also
Uempty
document how the solution is integrated and used by IT services, such as event management
and incident management.
In this unit we discuss the steps 1 and 2. The steps 3 and 4 assume that a software product has
been selected and we discuss these steps in units 3 and 4, assuming that QRadar SIEM 7.2.x is
the software product that was selected.
Uempty
Security Intelligence and IT Security Architectures addressing ISO/IEC 27002 or similar framework
When defining the functional requirements for a Security Intelligence solution, one can start with the
minimal requirements set out by IT Security frameworks similar to ISO/IEC 27002 or O-ESA. The
security controls defined in an earlier stage of implementation, also define the configuration
requirements of the solutions and of the sources of event data used by the solutions. In the
implementation step, the Security Intelligence solution may not be capable to use the event data
sources or the sources may not be capable to produce the required data. If this is the case, the
requirements specified in the architectural step might need adjustments.
Uempty
To optimize the Security Intelligence functionalities, the requirements can be stretched to include
the usage of vulnerability, asset management, network (device) configuration, and any computer or
network forensics data. Security Intelligence might help to prioritize the exploit of an vulnerability, or
to determine the risk related to a vulnerability. In this step one also realizes that logging and
monitoring is more than gathering event and flow data, also called event auditing. It also should
include the frequent check if assets are configured according to the security policy for software and
hardware configuration, also called status auditing.
Uempty
During the deployment step, the Security Intelligence product integration must be tested for if it
meets the functional requirements defined in an earlier step. Normally this means that the use
cases must be tested for incident management, compliance management, and event management.
Bulleted are a few examples of typical use cases.
Uempty
Lesson 2 Detailed Security Intelligence
solution design, implementation, and
deployment process
The unit continues to discuss each step in detail and major activities in the steps are explained.
Uempty
From now on, we assume that the Security Intelligence project is using the ISO/IEC 27002:2013
framework. The security controls and processes discussed are taken from this framework and the
purpose of the activities is to follow the ISO/IEC 27002:2013 recommendations. But in general you
will find that this framework is extensive and may differ only in detail with other frameworks like
O-ESA.
Obtain the ISO/IEC 27001/2 2013 documents from: http://bit.ly/1MspEIj and http://bit.ly/1MrWnKN
Uempty
Key delivery
activities Document detailed use High level Detailed and physical Review and finalize
Security Intelligence Design (Macro & Micro)
Data collection
cases and requirements macro design micro design design
Tasks Collect, interview and/or perform Define, document, and map Develop architecture overview Identify and document additional Review and finalize design
workshops to elaborate on IT detailed use cases including any diagram and description architecture details including with stakeholders, SI
processes such as incident, custom data source requirement Document architectural decisions physical design operations team, and
problem, change Define, document, and map Define at the micro system design additional QA team as
Update component model and
Gather security intelligence functional requirements level needed
develop macro system design
system requirements o logging level specifications for: o data/event sources and phased Develop system test plan
o monitoring use cases o event collection o data/event source collection integration plan Conduct deployment
o normalization protocols and methods o firewall rulesets planning and update
o dashboard, views, and reporting
o correlation o asset risk weighting criteria o updates to use cases project plan
o asset vulnerability information o storage o alert classification criteria
o asset classification profiles
o forensic data collection o system access o compliance groupings for assets o network topology (including risk
o network device and topology o reporting o vulnerability scanner usage, weighting) and associated
configuration o customization requirements configuration, and frequency objects
Define, document, and map non- o customization requirements o vulnerability management
o integration targets (ticketing, systems and process integration
identity, human resources, functional requirements o dashboard requirements
o monitoring, reporting, retention o user accounts and roles o hardware compatibility
change management..)
o regulatory and contractual Develop design document at Document interface as well as
considerations macro level customization and configuration
o high availability and disaster specifications
recovery Update design document at micro
o success criteria for target state level
The first step in the solution design, is investigating and documenting all the requirements. These
requirements are categorized as functional and non-functional requirements. The objective of this
step is to create detailed architectural design documents, containing detailed information on how
the Security Intelligence system must be deployed and implemented as to meet all requirements.
each phase contains a minimal list of activities. The 2 major phases from a design point of view are:
• Data Collection
• Document detailed use cases and requirements
The remaining phases in this step, follow from these two and therefore we will discuss these
phases in short.
The requirements gathered during the first two phases are translated to the organization's IT
infrastructure to specify the details. Restrictions following from the organization's IT infrastructure
result in architectural decisions, that may conflict with the original requirements. Think for example
of the requirement that log data must be collected in near real time, but because of bandwidth
limitations on some network segments, the collection must occur in batches. Requirements
regarding logging, collection, storage, reports, etc, are detailed out using the organization's IT
infrastructure as the reference.
The next phase almost assume that one knows the requirements for the Security Intelligence
solution of choice, regarding hardware, network footprint, event collection mechanisms, system
Uempty
integration, and system usage. The micro details describe the requirements to deploy the Security
Intelligence. Theoretically one will not know in detail how events are collected by the system at this
point. But one can specify in detail for example what vulnerability information must be used by the
Security Intelligence system and how it must be retrieved. Once a Security Intelligence product is n
chosen, the micro design is updated to reflect the actual requirements as defined by the product.
The macro and micro design is reviewed by all stakeholders and the use cases drive the test plan.
But one also creates tests to make sure that the critical non functional requirements are also met.
Now the deployment can start and the project plan must be updated with the milestones.
Uempty
Data collection
Data collection
We discuss the two first phases and indicate with boxes the activities that we concentrate on in the
following slides.
Uempty
Incident management
• Incident management is required by the IT Security Framework of choice
• Example guidelines are found in Chapter 16 Information security incident management of the
“ISO/IEC 27002 Code of practice for information security controls”
Incident management
As states, we assume that the organization uses ISO/IEC 27001/2 2013 as their security
framework. This framework contains guidelines for all IT governance processes that affect the list of
requirements for a Security Intelligence system. Section16 of the framework specifies the required
controls for incident management. More specific paragraphs 16.1.4 to 16.1.7 contain guidelines for
how the Security Intelligence system should support this security control.
16.1.4 Implies that the system must be capable to identify security incidents and report them in
time.
16.1.5 Ideally the system allows to track and check if a reported incident is being worked on or is
solved.
16.1.6 Lessons learned must be applicable to the system to prevent and detect future occurrences
of the same incident. The system must also be able to gather evidence and information to analyze
the root cause of the incident.
16.1.7 The system must be capable to gather evidence and archive the data in a secure manner.
These are just some requirements that follow from the security controls.
Uempty
When data must be gathered for evidence, find out if this evidence must be usable in court or if the
evidence is used to trace how the incident took place. In the first case the data gathered for
evidence, must be unprocessed. Which means that unprocessed original system and network data
must be archived. For system events this means that the original logs or audit trails as produced by
the system’s audit subsystem, are collected and archived. For network data this means that the
network packages must be collected by directly copying them of the wire and archived.
When designing a Security Intelligence solution, it is always tempting to just let the system collect
and archive everything. This may lead to an overkill of data and even worse, the organization might
be breaking an (inter)national law. For example gathering and archiving Privacy Data that was not
shared with the organization in consensus with the owner of that data, is clearly illegal. To prevent
an overkill of data, the system should gather data from systems and network segments that present
a risk to the organization.
The system must be integrated with systems used by the Incident Response team. Therefore
gather information about the Service Level Agreements used by the IR team to start investigations.
Ideally the system is capable to provide all information required by the SLAs.
Uempty
Change management
• Prepare for violations of IT security policy that might occur because a scheduled change to the IT
environment is performed
• Check if the organization uses a change management system that can inform the monitoring system
that certain violations are expected
Change management
Change management processes may have a severe impact on the visibility incidents. Therefore the
Security Intelligence system must ideally be capable to be updated with scheduled change
management requests.
Human Resources system manage account life cycles. These system provision accounts with
authorization profiles that can be used by the Security Intelligence system to identify violations to
the authorization schema. Therefore if possible, find out if such as HR life cycle is used and if so
require that the Security Intelligence system uses the authorization schema to monitor for
violations.
User account directories may be used by the Security Intelligence system to monitor user behavior
based on their user or group privileges. Therefore require the integration between the Security
Intelligence system and any available user directory.
Uempty
Data collection
Data collection
Data collection
Uempty
Section 12 of ISO/IEC 27002 2013 contains paragraphs addressing controls for Logging and
monitoring. These controls directly affect the functional requirements for the Security Intelligence
system.
Uempty
Although section 12 of ISO/IEC 27002 2013 does not specify what type of user actions must be
logged, you will find some guidance in other paragraphs. For example paragraph 9.4.2. suggests
that one should log all account log-on activity.
The proper way to determine what user actions, and in general, what data must be collected, is to
use the results of the organization’s most current risk assessment. This assessment contains
information of risks that must be addressed and managed. The result is a collection of security
controls that define how
Uempty
To complete the assessment of systems and network segments or infrastructure that will be
integrated with the Security Intelligence system, one also has to consider the actual exposure of the
systems to the current threat landscape. The Security Intelligence system can benefit from the
collection, analysis and archiving of network data. Detection of incidents can become more
effective and the system can provide more details to analyze the incident. Also consider to collect
and archive the complete traffic on critical network paths. To provide network forensic evidence
when needed and to provide deep analysis if normalized can not provide it.
Uempty
The structure of these documents are very similar, and you only have to concentrate on the
information regarding the class FAU and requirements FAU_GEN1.1 and FAU_GEN1.2
4. The list of auditable events for the security target informs you about what Common Criteria
recommends to be logged for the platform type; this contributes to the recommendation of baseline
security policy for logging
5. Investigate how the platform type must be configured to generate the auditable events; in some
cases, the Security Target documents contain a mapping of the baseline recommendations and the
platform’s audit functions (Hint: Search for the words “audit function” in the Security Target document
After identifying the sources from which the Security Intelligence system receives data, the next
important step is to configure these data sources to produce sufficient data for the Security
Intelligence system to meet all functional requirements. In case of network related data sources,
taps, flow collectors, etc, the configuration tools are limited to the location of the network taps and
the usage of flow filters. More special are the configuration options for host systems like,
databases, operating systems, applications, etc. It is essential that in this design phase one already
has a clear understanding what data can be retrieved from the sources, to decide which security
controls, or use cases, can be supported by the Security Intelligence system. The goal is that the
architectural design will only contain use cases for which data can be collected from the sources.
This introduces a field of IT expertise that is not commonly available, namely system expertise on
the topic of auditing. Most system experts are familiar with the architecture and available tools on
the system, but lack deep knowledge of how the audit subsystem works. It is therefore that system
security has long been neglected and is still the field of experts. Luckily there are guidelines and
standards for audit subsystem architectures and one of them is Common Criteria. To find an
introduction to the Common Criteria standard, check this website http://bit.ly/1G6ojz5
In the Common Criteria Portal one most likely find a Security Target (ST) document for a specific
Target Of Evaluation (TOE), the system that is evaluated against one of the Common Criteria’s
Evaluation Assurance Levels (EAL). From a practical point view, it shows that if a system is certified
by Common Criteria, it should be certified for at least the EAL 4 level before it makes sense to
integrate the system in a Security Intelligence solution. EAL 4 assures that the system has an audit
subsystem that allows the user to log in detail, security relevant activities on the system.
Uempty
These Common Criteria documents are a good start for anyone who needs to understand the audit
capabilities of a specific system. Details about the system’s audit subsystem can most likely be
found in the product documentation. Searching the INTERNET for “<system type and version>
security auditing guide” (e.g. oracle 11.2 security auditing guide) will already give you some hints
where to search for this information.
Another useful application of the Common Criteria documents, is by looking at the audit
requirements defined by Common Criteria for a certain class. For example if you look at the
Security Functional Requirements CCPART2V3.1R3, you will find the audit requirements defined
for class FDP requirement FDP_ACF.1 on page 59 of that document.
In case the organization has no policy regarding audit requirements for some of their systems, you
can at least make a good start by suggesting to use audit requirements as defined by Common
Criteria. This has the benefit that these guidelines are widely accepted as an industrial standard.
Uempty
To define the requirements regarding network data and network forensics, start by obtaining the
network topology and locate the critical systems in the topology. Also find out what the critical
business processes are so you can track the communication paths in the topology that can be
interesting to monitor. The result is an overview of normal communication by systems, protocols,
ports and maybe even by normal size of data. Any anomaly regarding these characteristics are
considered suspicious network communication. Therefore you can recommend that the result of
this investigation may be used as the network flow policy. The security Intelligence system can use
this information to collect, filter and monitor the essential network information flows. Depending on
the required detail defined by the use cases, the Security Intelligence system must either collect
network accounting flows, flows with layer 7 data, or tap into the network to obtain all data
packages.
If the use cases require all data packages to be collected for forensic evidence, then find out if
evidence must be collected after an incident was detected, or if data packages must always be
collected. If Personally Identifiable Information (PII) is also collected, then this data is subject to
local Privacy Laws. If it is evidence, then different criteria apply.
Uempty
Any Security Intelligence system must have the capability to allow the SOC team to:
• Be alerted in near real time of security incidents
• Monitor the security status of the whole IT infrastructure by means of security dashboards
• Generate and view the reports needed for the use cases
• Analyze any number of events in detail
Determine with the SOC team how the information must be made available and what information
must be made available in each of the above formats. These will then be the functional
requirements regarding reports, views, and dashboards.
Uempty
Data collection
Data collection
Data collection
Uempty
Frequent discovery of technical vulnerabilities of the systems improves the risk assessment by the
Security Intelligence system and helps to provide more accurate information about security
incidents. Therefore if the organization has vulnerability scanners in place, require that this
information is gathered by the Security Intelligence system and used to improve security incident
detection and reporting.
Uempty
Using technical vulnerability information is a good start to improve the Security Intelligence
reporting and detection. But if the system is also required to provide information for the risk
assessment processes, then these vulnerabilities must be put into context. For example a high risk
vulnerability that exposes the system to a rpc attack, is only an actual risk if the system accepts
connection on any of the standard rpc ports and network traffic containing any of the rpc protocols
to the system is also allowed. Therefore it is important to use the network information flow policy as
the context for the technical vulnerability information.
Uempty
Asset management system manage configuration information of assets. Software that is expected
be installed on the assets and also how this software is configured. It also may contain information
about assets that are not in compliance with the security policy. Meaning that these assets either
have software installed, or are missing software, with the result that these assets are not in
compliance. It could also be that the software footprint is correct, but the configuration of the
software is not correct. Think for example of a firewall devices that did not load the correct firewall
rule set, with the result that the device introduces an elevated risk on the IT infrastructure. If the
Security Intelligence system can use the information managed by asset management systems,
then the Security Intelligence system will be better in informing about the impact of incidents and
risks introduced by non-compliant assets.
Nowadays organizations schedule yearly black box security tests on their IT infrastructure. Not only
do they perform disaster recovery tests and fail over tests, but also penetration tests to find out if
their defense tools and processes are strong enough. These penetration tests can also be done by
an application security testing and monitoring tool. These tools test if applications are vulnerable for
attacks like SQL injection, cross-site scripting, buffer overflow, etc. As like vulnerability scanner
results, this information is valuable for any Security Intelligence tool. Because the system may use
this information to inform about elevated risks, or inform about the possibility of an incident
occurring if, for example, the system finds patterns in the network information flow, that resembles
the usage of SQL injection. Therefore if the organization deploys an application security testing and
monitoring tool, then suggest that the Security Intelligence system integrates the results of the test
performed by the application security testing and monitoring tool.
Uempty
Lesson 3 Document detailed use cases and
requirements
Uempty
Use case models do not describe how the system works internally, nor do they describe any internal
structure or mechanisms
Purpose
The main purpose of the use case model is to establish the boundary of the Security Intelligence system
and fully document its functional capabilities with respect to the users; the major focus areas in a use
case model are listed below
• Identify objects, object functionality, interaction, and interfaces
• Define test cases
• Produce user support materials and documentation
Determining the use cases for the Security Intelligence system is fundamental for the whole
solution design project. Without the use case, one cannot determine how the system is used, what
the success criteria are, and how the solution is configured. Information to obtain:
• Identify the actors in each use case
Who is involved?
• Means and flow of communication
How do the actors communicate and what is the order of information exchange?
• Preconditions for each use case
What is needed for the use case to be applicable?
• The flow of events
What are the steps in the use case from start to termination?
• Termination outcome description
What is the purpose of the use case?
• Successful completion description
What are the criteria to determine that the use case has terminated successfully?
• Failure condition description
What are the consequences if the use case did not terminate successfully?
• Dependencies with other use cases
Uempty
Are there any other uses cases on which this use case rely?
Use flow charts whenever you describe flow of communication or events. It makes it much easier to
follow the sequences.
Uempty
Before the organization can start looking for a Security Intelligence software product, it must know
what it requires from the product. This is described by the functional requirements. It contains the
use cases described on the previous pages, but also how the product must fit into the existing IT
infrastructure and processes. For example:
The use cases define a functional requirement that the system must collect, normalize, report and
archive log data. While the organization’s business rules and regulatory requirements state that
administration of the system must be done by application administrators who shall not have access
to the log data by any means. And on top of this, any administration action on the system must be
audit-able.
Uempty
The organization may be using an architectural framework like The Open Group Architecture
Forum (TOGAF http://pubs.opengroup.org/architecture/togaf9-doc/arch/index.html) which
recommends to use so-called work products. These architectural work products or artifacts cover a
specific area of the design and they take as input so-called building blocks. (See for definitions
http://pubs.opengroup.org/architecture/togaf9-doc/arch/index.html) For example the functional
requirements regarding use cases, are together one building block that can be re-used in several
work products. In fact the different types of functional requirements that are discussed on the
previous pages, are each building blocks that find their way into the architectural work products.
These building blocks will also be used as guidelines in the deployment and implementation steps.
The Security Intelligence product specialist should be aware of the building blocks that matter to the
product she or he is implementing. Therefore, if you haven’t been involved in the architectural
designs and if your responsibility is to implement and deploy the product, still try to obtain the
relevant building blocks to make sure that you are following the architectural guidelines.
Uempty
Besides the functional requirements, one also has to gather and document the non-functional
requirements. These requirements are likely to be driven by availability, security, system
management SLRs. Think of the requirements regarding responsiveness of the system, or down
time in case of a disaster. Again these requirements are documented in building blocks an may well
have to be considered when implementing and deploying the Security Intelligence product.
Uempty
The non functional requirements impose requirements on the architecture of the Security
Intelligence system. It might well turn out that these requirements can not be met by the Security
Intelligence system. For example it might well be that the requirements regarding performance and
responsiveness that one product can meet and the other cannot. Although both have the same
Security Intelligence functionality.
Uempty
In the next pages we detail out some functional and non-functional requirements. Others are not
discussed because they are considered straight forward.
Normalization: Every Security Intelligence tool must present the report data in a normalized format.
Not only does this eliminate the need for specialist to understand the data, but to do effective
correlation, the system benefits from normalization of the original log data.
Correlation: Security Intelligence is all about correlation data from different sources in an intelligent
manner. Thus correlation of data is an obvious critical requirement.
System access: As discussed before, data gathered by the system includes PII data and must
therefore be safeguarded by security controls. Restricting data access to authorized personnel
only. And all access must be audit-able. One might even just say that the Security Intelligence
system must be certified according to the Common Criteria EAL-4 standard.
Success criteria: One must always define the criteria for successful termination of the project.
Uempty
Storage
• Based on the IT security policy for logging, configure the machines in scope to meet the logging
requirements
• For 7 days, monitor the daily amount of logging data generated
• Determine daily logging thresholds by using the number of audit records written to the audit vault every day
• Remember that some audit subsystems overwrite when the audit trail file is full and others switch between
audit trail files in the vault
• Determine the impact of logging on the machine performance, and determine if system performance
remains within the service availability requirements as defined by risk management
• Use flow accounting information, like Netflow,Jflow, or Sflow, if available, to estimate the amount of
flow data that will be generated on the network information flow capture points, as determined by the
network information flow policy
• If flow accounting information is not available, determine the maximum bandwith of each network
connection in scope and assume an average of 70% utilization of the bandwith
Storage
Any security Intelligence system struggles with the question how much storage is required. log and
flow data must be stored for reporting and to meet regulatory requirements. The retention defines
for how long this data must be kept. But first one has to determine the average daily amount of data
that is collected. Crucial is that one uses the IT security policy for logging, to configure the data
sources so that these will only log what is needed for the use cases, reporting requirements and
incident management. Once the data sources are configured, monitor the log data generation for 7
days and keep in mind that some audit subsystems overwrite their audit trail files, and others create
new files when the maximum size of an audit trail has been reached.
At this point you can also assess the impact of auditing or logging on all systems. Logging and
auditing always has an impact simply because these processes require writing to storage and CPU
processing to determine if and what must be stored. Crucial is that the impact on system
performance does not violate any SLRs regarding availability and performance of the system itself.
For example, a database application which performance metrics drop significantly because of
logging and auditing.
To estimate the size of network data, first use the Network Information Flow policy to determine
what flows must be collected and where, which network segments, these flows must be collected
from. If available, use flow accounting information to estimate the average daily flow data size. If
you cannot use flow accounting information, then determine the bandwidth of the lines in the
network segments of interest, and assume that on a daily basis 70% of the bandwidth is utilized.
Once you have the sizing metrics for storage, and consequently for event and flow processing,
assume that these numbers equal 80% of the required daily storage and processing capacity. This
to avoid system overload caused by peaks resulting from an attack or other system activity. So if
Uempty
you find that the average number events per second from all data sources equals 100 EPS, then
require that the Security Intelligence system must be able to process (100/80) * 100 = 125 EPS.
Uempty
Retention time
• IT regulations usually define the log retention time for all logdata
This retention time is different as the time the logdata must ideally be kept online for daily monitoring
Best practice is to keep 90 days of logdata online
• Local privacy laws might apply to the log retention time
For example, audit trails or flows containing customer data which can be used to identify a lawful
person (PII), may be kept for 2 years; but it should be deleted as soon as possible
• Include any requirements regarding Logging and Monitoring services, such as high availabilty and
backup, that increases the required amount of storage
Retention time
Important to realize is that log and flow data must not always be kept available for immediate
reporting and investigation. Although regulations may require that log and flow data is kept for 2
years or more, large portions of that data may be kept on off line storage like tape devices or ROM
devices. Best practice is to keep 3 months of log and flow data in on line storage for reporting and
investigation.
Uempty
Reports
• IT security frameworks, like ISO 27001, specify that an analysis of logs must occur daily and that
monitoring must occur frequently
• The IT security policy controls must be evaluated and an analysis must be made if the reports can
support the implementation of the controls
• The resulting list of reports have to be mapped to the IT systems in scope
• Determine how much logdata per report must be processed to produce the report
• Determine the maximum number of investigations running at the same time
The resulting numbers have an impact on the performance of the Security Intelligence solution and they
will be used to determine the necessary computing performance of the system
In addition, the required reports dictate the audit configurations and, thus, the daily amount of logging
data
Reports
The need for log and flow data is largely required for the reports. It is therefore important to know
which reports and use case are required. In our example we are using the ISO/IEC 27001/2 2013
framework in combination with the Common Criteria certification requirements regarding auditing,
to determine how frequent the reports must be generated and which reports must be generated.
And finally what information must be presented in the reports to support the execution of the
security controls. In other words you have to determine the reports and their contents for each use
case.
Once this is determined, then you can specify how much data on average will be processed by
each report. This number is a reference for the Security Intelligence to produce the report within the
performance metrics required. Another important parameter for these performance metrics is the
number of consecutive queries will run on the system. Even if all the SOC members investigate
incidents at the same time, the system must perform within the requirements metrics.
Therefore, when documenting the functional requirements for reporting, also consider to document
the expected amount of data for each report. But most important is of course to determine the
required reports and how the data sources must be configured to provide the necessary information
in the reports. In the following pages we assume that the organization has no use cases or report
requirements. So we use the Common Criteria to define report requirements.
Uempty
In this example we assume that the organization deploys AIX 5L systems that are assumed to be
critical and must be integrated in the Security Intelligence system. But the organization has no idea
what and how to monitor these systems. Therefore we turn to Common Criteria standard to learn
about the AIX 5L system and find guidelines on what might be of interest to monitor on these
systems. To start this, we turn again to the Security Functional Requirements CCPART2V3.1R3
document. as we discussed on page 22. As said, this document contains audit recommendation for
the different controls required by Common Criteria. For this example, locate the audit
recommendations for the FDP_ACF.1 class as shown below:
Uempty
SFP stand for Security Function Policy. So this control requires that if the system is meant to meet
the audit controls requirement as defined by Common Criteria, then request to make a changes to
the security configuration of the system must be audit-able. Systems that are Common Criteria
EAL-4 certified all meet the FAU_GEN class requirements. So the challenge is to find out for such
system how it should be configured to meet the requirements. Or in other words, how the audit
subsystem works and how it must be configured. Most Security Target documents only state that
the system does meet the FAU_GEN class requirements, but do not inform how it meets the
requirement. The information we are looking for is often made available in the product
documentation. Sometimes very accessible as for IBM AIX, Oracle database, DB2 database, and
Red Hat systems, and sometimes harder. But a good start is to search the INTERNET for the
keywords “<system name>”,”security”,” guide”,” audit”. For example, a search for “windows 2012
security guide audit” will finally present the page
https://technet.microsoft.com/library/dn319078.aspx
In the example on the slide we searched for IBM AIX 5L which leads us to the IBM Redbooks. The
system security guides explain how to use and configure system auditing and the Common Criteria
informs what to audit. You have to combine these two sources of information to produce your macro
and micro design building blocks for event collection and logging.
Uempty
From the IBM Redbook you can learn that to audit IBM AIX properly, you must configure the
auditbin deamon, and not just rely on AIX syslog messages or the accounting system. (This is also
emphasized in the Common Criteria Security Target document as shown on the next pages) Luckily
the Common Criteria Security Target document for AIX 5L contains a table that maps Common
Criteria FAU_GEN class requirements to event names that are used to configure the AIX auditbin
deamon. In the slide above the table informs us that to audit any modification made to the system
time is audit-able by configuring the PROC_Adjtime event name. It is not always as simple as
shown in this example. In most of the cases you will have to figure out yourself what system audit
configuration is required to audit changes to system times. First by determining how the audit
subsystem reports on system time modifications, which event IDs/names/types represents the
actions, and then by determining how to configure the audit subsystem must be configured to audit
such actions.
Uempty
You will not always find details about system audit configuration in the Common Criteria Security
target document. But if you do, use it as a reference for further investigation. Remember that the
Security Target document has been produced with the help of the system developer and therefore it
should contain reliable information.
Uempty
When you use the system security guides on auditing, make sure that they have been produced
and are supervised by the system developer. There are many firms and individuals that share their
own finding on system audit configurations. Some, like National Institute of Standards and
technolog (NIST), Bundesamt für Sicherheit in der Informationstechnik (BSI) are highly regarded
institutes where you will find excellent reference material.
Uempty
When designing the collection of network flows and network packages for network forensics, first
determine the level of information required by the use cases and reports. Does the organization
require insight into the actual data that has been communicated? If not then it might be sufficient to
just collect network accounting flows if available. If INTERNET traffic must be monitored, make sure
that the Security Intelligence system is capable to combine outbound and inbound traffic into
communication sessions. Otherwise it will be very hard to analyze the flow information.
A major concern when collecting network information flows, is the amount of data that is collected
and must be archived. As with system data sources, apply a 7 days network information flow
collection window to assess the average daily amount of network information flow that the Security
Intelligence system must be able to process.
Regarding SPAN versus TAP ports usage for network forensic evidence, consider the following:
SPAN
• The device that supports the SPAN may drop packages if the replication requires too much
resources.
• Frame interaction timing is affected by spanning.
• Corrupt packages and below minimum size packages are dropped by the SPAN port.
TAP
• TAPs duplicate all packages. Also corrupted or below size packages.
• TAPs must be positioned on the INGRES side of the device to duplicate all traffic.
Uempty
It should be clear that when network information flows are needed for legal evidence, that this can
only be achieved by using TAPs. Any possible modification to or incompleteness of the network
information flows is not acceptable.
Note: Check the NIST publication referenced on page 45 to learn more about network forensics
and network sniffing techniques.
Uempty
Vulnerability Information
• To produce a proper risk and threat assesment, the Security Intelligence solution requires acccess to
vulnerabilty information for all assets within the scope of the solution
• Document the available vulnerabilty information sources, such as VA scanners and web application
security testing tools
• Ideally the Security Intelligence solution uses the vulnerability information in combination with the
possible network exposure of the asset to known threats; this item may need to be included in the
non-functional requirements
Note: This requires integration with network device management tools to include firewall and router
configuration information in the risk and threat assessment by the Security Intelligence solution
• If asset management information from a Configuration Management Database (CMDB) can be
combined with vulnerability information managed by the Security Intelligence solution, the threat and
risk assessment might be more complete and more valuable; while integration with a CMDB is not
necessary but is encouraged
Vulnerability Information
When defining the architectural requirements regarding the usage of vulnerability data, consider to
require that the vulnerability data is used in context. This means that the Security Intelligence
system must use the vulnerability data in combination with network device configuration and
network topology information. The latter to determine the logical location of the systems for which
vulnerability data is made available, and the network device configuration to determine what type
network flows can reach the systems. For example a system with a shell-shock vulnerability may
not be reachable from the Internet, while ssh and telnet connections are not allowed by the firewalls
protecting the network segment of the system. This means that although the system has a critical
vulnerability, the risk of this vulnerability being exploited on this system is relatively low. A Security
Intelligence system that can combine vulnerability data in such manner, will be much more effective
in helping the SOC to identify the actual risk of an incident.
Besides network device configuration and network topology, any asset information is also very
useful. If the Security Intelligence system would know what software, ports and patch level is
available on the system, then it could combine this information also with the vulnerability data and
provide better information to the SOC to assess the actual risk of an incident.
Uempty
Other integrations
• The use cases imply the required integration between the Security Intelligence solution and ticket
management systems; describe the prerequisites for the Security Intelligence solution necessary to
interact with the ticketing system; this interaction can go both ways
• Forwarding incidents from the Security Intelligence solution to the ticketing system
• Updating security incident findings in the Security Intelligence solution after incident response processing
• The functional requirements might contain use cases that require access to the Security Intelligence
solution has to be granted by a user directory; in this case, document the following details
• Connection details to the user directory requirements
• Account and password policies or general authentication mechanisms requirements
• Another non-functional requirement regarding the integration with user directories is the use of user
account and group information to improve the Security Intelligence reports and security policy rules
• Document the user directory structures that have to be queried and the required connection method, such as
LDAP and AD
Other integrations
Organizations with a SOC and IRT team will probably also use ticketing systems, change
management systems and human resources systems, integrated with their user directories. To
optimize the work flow between the SOC, IRT and HR departments, the Security Intelligence
system could be integrated with all these systems. Therefore find out how incidents identified by the
SOC can be integrated with the ticketing system, how this should be done, and what information
must be made available from the Security Intelligence.
Human Resources life cycle management system can be very useful for the Security Intelligence
system. Imagine that a new employee is assigned his computer account and the HR system
informs the user directory to create an account and assign the necessary privileges and authorities.
Assuming that the user directory supports a LDAP structure, this information can be used by the
Security Intelligence system to automatically modify the (correlation) filter rules to monitor the new
user account actions according to the official account configuration. Also if an employee is about to
leave the organization, his account might be labeled by the HR system as critical. This information
could again be used by the Security Intelligence system to monitor accounts of employees that
require elevated monitoring. take all this into account while defining the integration requirements for
the Security Intelligence system.
Uempty
Key delivery
activities Document detailed use High level Detailed and physical Review and finalize
Security Intelligence Design (Macro & Micro)
Data collection
cases and requirements macro design micro design design
Tasks Collect, interview and/or perform Define, document, and map Develop architecture overview Identify and document additional Review and finalize design
workshops to elaborate on IT detailed use cases including any diagram and description architecture details including with Client stakeholders, SI
processes such as incident, custom data source requirement Document architectural decisions physical design operations team, and
problem, change Define, document, and map Define at the micro system design additional QA team as
Update component model and
Gather security intelligence functional requirements level needed
develop macro system design
system requirements o logging level specifications for: o data/event sources and phased Develop system test plan
o monitoring use cases o event collection o data/event source collection integration plan Conduct deployment
o normalization protocols and methods o firewall rulesets planning and update
o dashboard, views, and reporting
o correlation o asset risk weighting criteria o updates to use cases project plan
o asset vulnerability information o storage o alert classification criteria
o asset classification profiles
o forensic data collection o system access o compliance groupings for assets o network topology (including risk
o network device configuration o reporting o vulnerability scanner usage, weighting) and associated
o customization requirements configuration, and frequency objects
o integration targets (ticketing, o vulnerability management
identity,..) Define, document, and map non- o customization requirements
functional requirements o dashboard requirements systems and process integration
o monitoring, reporting, retention o user accounts and roles o hardware compatibility
o regulatory and contractual Develop design document at Document interface as well as
considerations macro level customization and configuration
o high availability and disaster specifications
recovery Update design document at micro
o success criteria for target state level
This brings us to the end of this unit. We have discussed the first two phases of the Security
Intelligence Design step. This should give you a good introduction to the methods we used,
ISO/IEC, O-ESA, TOGAF, Common Criteria, and how we use them in the design step. As said the
last three steps detail out the gathered information from the first two steps. You will have to decide
on your own what the format of the building blocks and work products, aka artifacts, will be.
Changes are high that the format is already decided by the organization and you will have to use
the same templates for your work products and building blocks.
Uempty
Exercise introduction
Complete the following exercise in the Student Exercises book
• Determine Logging and Event Collection requirements for Common Criteria baseline
applied to the Windows 2008 R2 platform
Notes:
• Assume all Windows machines must be hardened according to the common criteria
standard, provide all information required for the following documents for ´Security
Intelligence Design (Macro & Micro) – Activity Details´
• Logging
• Event Collection
• Use the following documents:
• MS Windows 2008 CC TOE document,
• Windows_Server_2008_R2_Security_Guide
• Windows 7 and Windows Server 2008 R2 Security Event Descriptions
Exercise introduction
Uempty
Unit summary
• Discuss the high level steps needed to design and implement a Security Intelligence solution
• Describe the detailed activities needed to design and implement a Security Intelligence solution
Unit summary
Uempty
Unit objectives
• Describe the functional components of a Security Intelligence solution based on the IBM Security
QRadar SIEM solution
• Describe the benefits and value of IBM X-Force threat intelligence in a Security Intelligence solution
• Evaluate a large-scale advanced persistent attack against a US retailer and evaluate how a properly
implemented Security Intelligence solution could have been beneficial to fend off the attackers
Unit objectives
In this unit we start to focus our attention on the IBM QRadar Security Intelligence solution and
explain the functional architecture. In order to study and understand how a Security Intelligence
solution works we examine each component in itself and how data and information is exchanged in
the overall system. We also consider the importance of integrating an external, real-time threat
intelligence feed to.
We finalize this course by an examination of a real-world large scale attack against a US based
retail company.
Uempty
Lesson 1 Building a foundation through
centralized Security Intelligence
management - IBM QRadar SIEM
Functional architecture
Uempty
Analytics Engine
Security
Intelligence
Operating
System Warehouse Archival
(SIOS)
Normalization
The IBM QRadar Security Intelligence solution delivers a “One Console Security” through a long
planned and carefully developed strategy to build an operating system approach to Security
Intelligence.
QRadar SIOS - the Security Intelligence Operating System - powers the QRadar family of security
intelligence products. QRadar SIOS is the foundation of the industry's first total Security Intelligence
Platform, a common framework for collecting, warehousing, filtering, analyzing and reporting on all
security intelligence telemetry.
This integrated solution is the platform for risk management, SIEM, log management, and
network and application activity monitoring, as well as new products to be delivered.
The benefits of the Security Intelligence Operating System include the following capabilities:
• Convergence – by consolidation of previously siloed monitoring and analysis capabilities
• Simplicity - by delivering multiple functions within a common user experience
• Scalability – by providing expansion capabilities for the largest infrastructures
Uempty
No matter how many QRadar applications are leveraged, or how many appliances constitute a
deployment, all capabilities are leveraged through a single, Web-based console – with all the
associated benefits that a common interface delivers in terms of speed of operation, transference of
skills, ease of adoption, and a universal learning curve.
Uempty
This example showcases the integration of the QRadar console with QRadar Vulnerability
Manager.
Designed to integrate Log Management, SIEM, Vulnerability and Risk Management, and Incident
Forensics into one solution, the QRadar Security Intelligence solution can deliver a large log
management scale without any compromise on SIEM “Intelligence.”
QRadar analysts can switch from log events, to network flows, to risk and compliance policy reports
and prioritized lists of network-wide vulnerabilities, and complete analysis of incidents after an
offense has occurred. This allows an organization to reduce the time before an initial breach is
detected and avoid the actual exploit
Uempty
IBM Security QRadar SIEM can analyze tremendous amounts of data (logs, network flows) and
uses context to transform it into useful, actionable information as is depicted in this slide.
Here is what security analysts can see when they begin to investigate an offense record triggered
by a correlation rule. The analysts can quickly investigate the who, what and where behind an
offense and quickly determine if it is a legitimate threat or a false positive.
IBM Security QRadar SIEM provides strong event-management and analysis capabilities and is
very effective in detecting threats because it can leverage a broad range of data, analyze it, and
apply context from an extensive range of sources. This helps to reduce false positives, report on
actual exploits, and shows what kind of activity is taking place. This results in faster threat detection
and response.
QRadar continuously monitors data sources across the IT infrastructure, leveraging the full context
in which systems are operating. That context includes security and network device logs,
vulnerabilities, configuration data, network traffic telemetry, application events and activities, user
identities, assets, geo-location, and application content.
This activity generates a staggering amount of data, which makes the automation in QRadar very
important because it can correlate this large amount of data down to a small number of actionable
offenses.
QRadar SIEM leverages this data to establish very specific context around each potential area of
concern, and uses sophisticated analytics to accurately detect more and different types of threats.
For example, a potential exploit of a web server reported by an intrusion detection system can be
validated by unusual outbound network activity detected by QRadar.
Uempty
QRadar uses intelligence, automation, and analytics to provide actionable security information
including the number of targets involved in a threat, who was responsible, what kind of attack
occurred, whether it was successful, vulnerabilities, evidence for forensics, and so on.
Uempty
While log events are critical, they can leave gaps in visibility. When attackers compromise an IT
system they first turn off logging to obfuscate their tracks. Traditional SIEMs are blind at this point.
However, no attacker can disable the network or they cut themselves off as well.
In addition to providing full network traffic visibility, network activity passively builds up an asset
database and profiles your assets. For example, an IT system that has responded to a connection
on port 53 UDP is obviously a DNS server. Another IT system that has accepted connections on
ports 139 or 445 TCP is a Windows server.
Adding application detection can confirm this not only at a port level, but the application data level
as well.
Uempty
The IBM QRadar Security Intelligence solutions can be delivered in the following form factors:
• Hardware appliance
• Software, that an organization may install on their self-provided appliances
• Virtual appliance, that is deployed in a virtual machine form (for example, VMware ESX server)
Uempty
Console
Uempty
Uempty
Deployment models
Event
Processor
(16XX)
QFlow
Collector
(12XX/13XX)
All-in-One is a single appliance used to collect events and flow A Distributed deployment consists of multiple appliances for different purposes
data from various security and network devices, perform data • Event Processor to collect, process, and store log events
correlation and rule matching, report on alerts and threats, and • Flow Processor to collect, process, and store several kinds of flow data generated from network
provide all administrative functions through a Web browser devices; optional QFlow Collector is used to collect Layer 7 application data
• Console to correlate data from managed processors, generate alerts and reports, and provide all
administrative functions
Deployment models
Based on the different form factors introduced in the previous slide, different appliance models are
available to address different deployment models. The selection depends on the amount of
collected and processed events, data storage estimations, high availability and disaster recovery
requirements, organizational network topology, and other factors.
This course material will not pay any closer attention to the currently available exact configurations
and models.
Uempty
Lesson 2 Building a foundation through
centralized Security Intelligence
management - IBM QRadar SIEM
Component architecture
Uempty
Architecture overview
• High-level architecture
• Flow Collector (FC)
• Event Collector (EC)
• Event Processor (EP)
• Console
Architecture overview
Uempty
High-level architecture
• Flow and event data is stored in the Ariel database on the
Identity
Event Processors
Asset If accumulation is required, accumulated data is stored in the
Offense
Ariel accumulation database
As soon as data is stored, it cannot be changed (tamper proof)
Console Services
• Offenses, assets, and identity information are stored in
User interface the master PostgreSQL database on the Console
Magistrate
Reporting Scalability and performance are managed through bulk insert
and update transactions and by populating memory caches to
avoid numerous round trips to the database
Flows Provides one master database with copies on each processor
Events Event Processor
Accumulations for backup and automatic restore
• Secure SSH communication between appliances in a
distributed environment is supported
Flow Collector Event Collector
High-level architecture
Uempty
Architecture overview
• High level architecture
• Flow Collector (FC)
• Event Collector (EC)
• Event Processor (EP)
• Console
Architecture overview
Uempty
A network flow record provides information about a conversation between two devices using a
specific protocol and can include many fields that describe the conversation. Examples include the
source IP, the destination IP, the port, and other fields.
Up to a configurable number of bytes, QFlow provides layer 7 insights into the payload if it is
unencrypted. Using a tap or span port, QFlow collects raw packets and places them into 60-second
chunks. QFlow can also receive layer 4 flows from other network devices in IPFIX/NetFlow, sFlow,
J-Flow, Packeteer, and Flowlog file accounting technologies.
Uempty
Application detection
Methods of determining the application of the flow
• User defined
This method is mainly used when users have a proprietary application running on their network
For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be MySpecialApplication
• State-based decoders
This method is implemented in the source code and determines the application by analyzing the payload for
multiple markers
For example: If we see A followed by B then application = X; if we see A followed by C, then application = Y
• Signature matching
Basic string matching in the payload
Custom signatures are allowed (see Application Configuration Guide for signature customization)
• Port-based matching (port 80 = http, and so on)
Application detection
Uempty
Superflows
• Types of superflows
Type A
Single SRC, Multiple DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, network sweeps)
Type B
Multiple SRC, Single DST – Same DST Port (TCP/UDP), byte count, SRC flags/ICMP Codes
(for example, DDoS attacks)
Type C
Single SRC and DST, TCP/UDP Only, Changing SRC/DST ports
(for example, port scans)
• Only store the single flow with the collection of IP addresses
• Specific rule tests can leverage the flow type to determine if an offense needs to be created
• Creation of superflows can be disabled
Superflows
Uempty
• If the overflow buffer fills up, the additional flows are dropped
Uempty
Architecture overview
• High level architecture
• Flow Collector (FC)
• Event Collector (EC)
• Event Processor (EP)
• Console
Architecture overview
Uempty
Event Collector
Log Sources
Uempty
• Carries out detection only on event protocols that are “pushed” to the Event Collector,
for example, syslog
Uempty
• The QID (QRadar Identifier) is a unique ID that links the extracted Log Source Event ID to a QID
• Each QID number relates to a custom Event Name and description, as well as severity and event
category information
• The event category information is structured into High Level Categories (HLC) and Low Level
Categories (LLC); every QID is linked to one of these low-level categories
For example, "Authentication (HLC) – Admin Login Successful (LLC)" is a category combination
Uempty
• If the overflow buffer fills up, the additional events are dropped
Uempty
Architecture overview
• High level architecture
• Flow Collector (FC)
• Event Collector (EC)
• Event Processor (EP)
• Console
Architecture overview
Uempty
Uempty
• Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation
of an offense
• Multiple matched events, flows, and matched rules might correlate into a single offense
• By default, rules are tested against events or flows received by a single Event Processor (local rules)
• Global Cross Correlation (GCC) allows rules testing across multiple Event Processors in the QRadar
SIEM deployment
Uempty
Accumulator
• Accumulations are defined by “grouped by” searches
• Accumulations create time-series statistical metadata (counts) that is used for the following purposes
Dashboards
Event and flow forensics and searching
Reporting
Anomaly and behavior alerts
Accumulator
Uempty
Architecture overview
• High level architecture
• Flow Collector (FC)
• Event Collector (EC)
• Event Processor (EP)
• Console
Architecture overview
Uempty
Console architecture
• The Magistrate creates and stores offenses
in the PostgreSQL database; these offenses Offenses
are then brought to the analyst’s attention in
the interface
• The Magistrate instructs the Ariel proxy to Magistrate
gather information about all events and flows Custom Rule
Engine
that triggered the creation of an offense Assets
Console architecture
Uempty
• While rules are tested, they might lead to the creation of an offense
• Pending offenses tag the events and flows as long as the rule that triggered the creation of the offense
remains at least partially matched
Uempty
1
4
Partial matches
tag the 3
Offense is created with
flows and events
Before the offense is all tags to events and
created, the Magistrate flows that lead up to
queries for all matching the offense
event and flow tags to be
included
Flows
Events
Accumulations
Uempty
Offense types
• An Open Offense that is created remains an Active Offense as long as the rules that triggered the offense
creation are matched by events or flows within 30 minutes after the last match has been found; new tags of
events or flows are added to the Active Offense
• If an Open Offense did not find additional matches for more than 30 minutes, it becomes a Dormant Offense
• A Dormant Offense becomes active again when additional matches are found within 5 days after the offense
became dormant, and it is now called a Recalled Offense; new tags of events or flows are added to the Recalled
Offense
• After a Dormant Offense has not received any matches within 5 days after it became dormant, it turns into an
Inactive Offense
• Open Offenses can manually be turned into Closed Offenses
• If events or flows are matched to an Inactive Offense or Closed Offense, a new Open Offense is created
• A maximum of 2,500 Active Offenses and 500 Recalled Offenses are allowed
• Closed and Inactive Offenses are subject to retention management
Offense types
Uempty
Uempty
Uempty
Lesson 3 External threat intelligence feeds
Uempty
You can use the IBM Security X-Force Threat Intelligence service to augment QRadar intelligence
capabilities by feeding it proprietary threat insights, including data on malware hosts, spam sources,
and anonymous proxies. Combining worldwide intelligence from IBM X-Force with security
information and event management (SIEM), log management, anomaly detection, and
configuration and vulnerability management capabilities from QRadar solutions provides
organizations with additional context on security incidents, helping improve prioritization of
incidents that require additional examination—and enabling organizations to prevent or minimize
damaging attacks.
Uempty
The X-Force research and development team inspects millions of new and updated Internet sites
every day, collects information, categorizes content and identifies those sites that pose a security
danger to an organization.
Uempty
A connection from a non-mail server with a known spam host Spam contamination
X-Force Threat Intelligence provides vulnerability coverage across a wide range of use cases, as
shown in the examples in this table.
By adding the dynamic information from X-Force Threat Intelligence to the analytical capabilities of
the QRadar Security Intelligence solution, organizations can gain more intelligent and accurate
security enforcement. This additional insight from X-Force Threat Intelligence enables QRadar
analysts to apply this valuable data in real time to more closely monitor—and tightly secure—their
environment.
Uempty
Lesson 4 Real-world large-scale attack
Uempty
Uempty
• Target Corporation is an American retailing company, founded in 1902 and headquartered in Minneapolis, Minnesota. It
is the second-largest discount retailer in the United States, Walmart being the largest. The company is ranked 36th on
the Fortune 500 as of 2013 and is a component of the Standard & Poor's 500 index. Its bullseye trademark is licensed
to Wesfarmers, owners of the separate Target Australia chain, which is unrelated to Target Corporation.
• The first Target store was opened in 1962 in Roseville, Minnesota. Target grew and eventually became the largest
division of Dayton Hudson Corporation, culminating in the company being renamed as Target Corporation in August
2000. Target operates 1,916 stores in the United States; it began operations in Canada in March 2013 and operates
127 locations through its Canadian subsidiary. In December 2013, a data breach of Target's systems affected up to
110 million customers.
Source: Wikipedia
Key message here is that when something like the breach happens, it goes down in history – in this
case Wikipedia highlights the attack and that can tarnish a company for years.
Uempty
In November and December 2013, cyber thieves executed a successful cyber attack against Target, one of the largest retail
companies in the United States. The attackers surreptitiously gained access to Target’s computer network, stole the financial
and personal information of as many as 110 million Target customers, and then removed this sensitive information from Target’s
network to a server in Eastern Europe.
John Mulligan, Target’s Executive Vice President and Chief Financial Officer, testified that his company “had in place multiple
layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data
loss prevention tools.” He further stated that Target had been certified in September 2013 as compliant with the Payment Card
Industry Data Security Standards (PCI-DSS), which credit card companies require before allowing merchants to process credit
and debit card payments.
Source: “Kill Chain” Analysis of the 2013 Target Data Breach; Committee On Commerce, Science and Transportation
The situation
The key message here is that Target were not an organization that had shirked on their
responsibilities. They were PCI compliant, they had purchased a number of security products, and
yet the breach still happened.
http://bit.ly/1LxBRJH
Uempty
Uempty
Uempty
Uempty
• More alerts
• Different areas of
network
• Not correlated with other
activity or in the context
of the business or
network
• Not enough visibility or
context
• Still ignored !
Uempty
• Too Late
• Nightmare business
scenario unfolds
Note that Target only really became aware when they were notified by DOJ.
Uempty
• Nightmare
• Worst case business scenario
Uempty
Missed opportunities
Missed opportunities
Uempty
• Increased incident
relevance
• One incident case and
analysis workflow
• Integrated Forensics –
Rapid confirmation of
attack
• Massive reduction of
window of exposure
Potential improvements
Uempty
Unit summary
• Describe the functional components of a Security Intelligence solution based on the IBM Security
QRadar SIEM solution
• Describe the benefits and value of IBM X-Force threat intelligence in a Security Intelligence solution
• Evaluate a large-scale advanced persistent attack against a US retailer and evaluate how a properly
implemented Security Intelligence solution could have been beneficial to fend off the attackers
Unit summary
Uempty
IBM Training