ibm security overview bp enablement 22 feb-2012 v harper
DESCRIPTION
TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
IBM SecurityIntelligence, Integration and Expertise
Vaughan HarperIBM Security Architect
22 February, 2012
© 2012 IBM Corporation
IBM Security Systems
2
The world is becoming more digitized and interconnected, opening the door to emerging threats and leaks…
Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more
EVERYTHING IS EVERYWHERE
With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared
CONSUMERIZATION OF IT
The age of Big Data – the explosion of digital information – has arrived and is facilitated by the pervasiveness of applications accessed from everywhere
DATA EXPLOSION
The speed and dexterity of attacks has increased coupled with new actors with new motivations from cyber crime to terrorismto state-sponsored intrusions
ATTACK SOPHISTICATION
© 2012 IBM Corporation
IBM Security Systems
3
Targeted Attacks Shake Businesses and Governments
IBM Security X-Force® 2011 Midyear Trend and Risk Report September 2011
Attack Type
SQL Injection
URL Tampering
Spear Phishing
3rd Party SW
DDoS
Secure ID
Unknown
Mar April May June July AugFeb
Sony
Epsilon
L3 Communications Sony BMG
Greece
US Senate NATO
AZ Police
TurkishGovernment
SK Communications
Korea
Monsanto
RSAHB Gary
NintendoBrazilGov.
Lockheed Martin
Vanguard Defense
Booz Allen
Hamilton
PBS
PBS
SOCA
Malaysian Gov. Site Peru
Special Police
Gmail Accounts
Spanish Nat. Police
Citigroup
Sega
Fox News X-Factor
Italy PM Site
IMF
Northrop Grumman
Bethesda Software
Size of circle estimates relative impact of breach
© 2012 IBM Corporation
IBM Security Systems
4
IT Security is a board room discussion
Business results
Sony estimates potential $1B long term impact –$171M / 100 customers*
Supply chain
Epsilon breach impacts 100 national brands
Legal exposure
TJX estimates $150M class action settlement in release of credit / debit card info
Impact of hacktivism
Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …
Audit risk
Zurich Insurance PLcfined £2.275M ($3.8M) for the loss and exposure of 46K customer records
Brand image
HSBC data breach discloses 24K private banking customers
*Sources for all breaches shown in speaker notes
© 2012 IBM Corporation
IBM Security Systems
5
Solving a security issue is a complex, four-dimensional puzzle
5
People
Data
Applications
Infrastructure
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Systems applications
Web applications Web 2.0 Mobile apps
Structured Unstructured At rest In motion
It is no longer enough to protect the perimeter –siloed point products will not secure the enterprise
© 2012 IBM Corporation
IBM Security Systems
6
In this “new normal”, organizations need an intelligent view of their security posture
Security
Intelligence
Proficient
Proactive
Au
tom
ate
dM
an
ual
Reactive
Proficient
Basic
Optim
ized
OptimizedOrganizations use predictive and automated security analytics to drive toward security intelligence
ProficientSecurity is layered into the IT fabric and business operations
BasicOrganizations
employ perimeter protection, which
regulates access and feeds manual reporting
© 2012 IBM Corporation
IBM Security Systems
7
IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework
Intelligence ● Integration ● ExpertiseIntelligence ● Integration ● Expertise
� Only vendor in the market with end-to-end coverage of the security foundation
� 6K+ security engineers and consultants
� Award-winning X-Force® research
� Largest vulnerability database in the industry
© 2012 IBM Corporation
IBM Security Systems
8
Intelligence: Leading products and services in every segment
© 2012 IBM Corporation
IBM Security Systems
9
Expertise: Unmatched global coverage and security awareness
� 20,000+ devices under contract
� 3,700+ MSS clients worldwide
� 9B+ events managed per day
� 1,000+ security patents
� 133 monitored countries (MSS)
� 20,000+ devices under contract
� 3,700+ MSS clients worldwide
� 9B+ events managed per day
� 1,000+ security patents
� 133 monitored countries (MSS)
World Wide Managed Security Services Coverage
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
IBM Research
© 2012 IBM Corporation
IBM Security Systems
10
Problem #1: Passwords…
� Most users need to log on to multiple systems to do their job
� It takes time to log on to each system
� It’s difficult to remember all the passwords
� It’s impossible to remember all your passwords if they’re all strong, all different, and some are used infrequently
� Volume of different applications (17 applications for one user we were talking to)
© 2012 IBM Corporation
IBM Security Systems
11
Demonstration…
© 2012 IBM Corporation
IBM Security Systems
12
Latest IBM Security Access Manager for Enterprise Single Sign-OnDesktop Single Sign-On, Strong Authentication and Fine-Grained User Activity Audit Logs
• Virtual Appliance for faster time to value
- Easier deployment and management leading to lower TCO
• Virtualized desktops and applications virtualization support
- Support VMware View, IBM Virtual Desktop for Smart Business
- Desktop access to virtualized MSFT App-V or Citrix XenApp
• Wider platform support
- Support for Win 7 64-bit, Win 2008, Internet Explorer 8 & 9
• Enhanced Strong Authentication Support
- Hybrid RFID smart card, support for National IDs
Key solution highlights
Reduce help desk costs, improve productivity and strengthen security on traditional, virtual, shared desktop environments
Business challenge
Simplify password management and strengthen end user security
“IBM’s Security Access Manager for Enterprise Single Sign-On helped achieve a ROI of 244% over 3 years with a payback period of 11 months” (Large UK financial services company)
© 2012 IBM Corporation
IBM Security Systems
13
Problem #2: Badly developed websites…
© 2012 IBM Corporation
IBM Security Systems
14
Application Vulnerabilities Continue to Dominate
Web application vulnerabilities represented the largest category in vulnerability disclosures (55% in 2008)
In 1H09, 50.4% of all vulnerabilities are Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
-
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
H1
Vulnerability Disclosures Affecting Web Applications(Cumulative, Year Over Year)
IBM Internet Security Systems 2009 X-Force®
Mid-Year Trend & Risk Report
© 2012 IBM Corporation
IBM Security Systems
15
Why Security Matters ?
ICO £500K fines from 6th April 2010
� New powers to impose fines of up to £500,000 for serious breaches of the DPA will come into force on 6 April
Data Breach Notification Law approved by EU� Member states required to introduce the new rules by May 2011
PCI Compliance� New prioritised approach in place, banks and card acquirers demanding
progress
Other Compliance� Basel II, Sarbanes Oxley, ISO 27001 etc…
Non-compliance reasons� Reputational damage
� Fraud, etc
© 2012 IBM Corporation
IBM Security Systems
16
IBM Rational AppScan End-to-End Application Security
REQUIREMENTSREQUIREMENTS CODECODE BUILDBUILD SECURITYSECURITY PRODUCTIONPRODUCTIONQAQA
AppScan Standard
AppScan Source AppScan Tester
Security Requirements
Definition
AppScan onDemand
(SaaS)
AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting)
Security / compliance testing incorporated
into testing & remediation workflows
Security requirements
defined before design &
implementation
Outsourced testing for security audits &
production site monitoring
Security & Compliance
Testing, oversight, control, policy,
audits
Build security testing into the
IDE
Application Security Best Practices
Automate Security / Compliance testing in the Build Process
© 2012 IBM Corporation
IBM Security Systems
17
IBM Rational AppScan End-to-End Application Security
SECURITYSECURITY
AppScan Standard
Security & Compliance
Testing, oversight, control, policy,
audits
� IBM Rational AppScan: A Web Application Security Scanner
– Helps users find and remediate application-layer security issues in their web applications & web services
� IBM Rational AppScan Standard or Express Edition
– A standalone desktop application
� Who uses it?
– Security Auditors and IT Security Teams - To reach beyond network security
– QA engineers - To add Security to Functionality & Performance testing
– Developers (to a lesser extent) – Wanting to be proactive about security
© 2012 IBM Corporation
IBM Security Systems
18
How does AppScan work?
� Approaches an application as a black-box
� Traverses a web application and builds the site model
� Determines the attack vectors based on the selected Test policy
� Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules
HTTP Request Web Application
HTTP Response
© 2012 IBM Corporation
IBM Security Systems
19
The ROI of Application Security Testing
Cost Avoidance – of a security breach
Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage
Cost Savings – of automated vs manual testing
Automated testing provides tremendous productivity savings over manual testingAutomated source code testing with periodic penetration testing allows for cost effective security analysis of applications
The cost to companies is $202 per compromised record**
The average cost per data breach is $6.6 Million**
Outsourced audits can cost $10,000 to $50,000 per application
At $20,000 an app, 50 audits will cost $1M.
With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)
* Source: Capers Jones, Applied Software Measurement, 1996
** Source: Ponemon Institute, Privacy Rights Clearinghouse, 2008
Cost Savings – of testing early in the development process
80% of development costs are spent identifying and correcting defectsTesting for vulnerabilities earlier in the development process can help avoid that unnecessary expense
Cost of finding & fixing problems:
code stage is $25, QA/Testing is $450, Production $16,000 *
E.g.: 50 applications annually & 25 issues per application, testing at code stage saves $780,000over testing at QA stage.
© 2012 IBM Corporation
IBM Security Systems
20
AppScan Standard(floating user)
AppScan Standard(floating user)
AppScan Standard(floating user)
AppScan Product Path
AppScan Express(single user)
AppScan Standard(floating user)
AppScan Reporting Console(enterprise-wide reporting)
More than 1 user
Upgrade to
floating licence
Multiple users
Enterprise wide
reporting & visibility
AppScan Standard(floating user)
AppScan Standard(floating user)
AppScan Standard(floating user)
© 2012 IBM Corporation
IBM Security Systems
21
Q3 2011 – UK digital media production company
� A UK digital media production company had been using some open source tools for security testing and had suffered some recent security incidents that were driving them to improve their security posture
� Initial Demonstration of AppScan via webinar on 22nd August. Evaluation of AppScan completed via Webinars over following weeks. Deal for one licence of AppScan Standard Edition closed within the Quarter.
Recent UK General Business sales…
� UK magazine company: increasing focus on online content is driving a greater need for security
� Initial Demonstration of AppScan via webinar during Oct. Evaluation of AppScan completed within 1 week via onsite visit on 16th November. Deal for one licence of AppScan Standard Edition closed within the quarter.
Q4 2011 – UK publishing company
© 2012 IBM Corporation
IBM Security Systems
22
Problem #3: Managing workstations and servers…
How long does it take you to…
…determine the number of PCs that are infected?
…patch all infected systems and protect the healthy ones?
…realize that a user/malware just uninstalled a critical patch?
…deploy patches not only on Windows but Linux, AIX, Solaris or Mac OS? X?
© 2012 IBM Corporation
IBM Security Systems
23
Tivoli Endpoint Manager: See More, Secure More
� Asset Discovery and Visibility
� Patch Management
� Security Configuration Management
� Vulnerability Management
� Multi-Vendor Endpoint Protection Management
� Network Self Quarantine
Tivoli Endpoint Manager for Security & Compliance
Discover 10% - 30% more assets than previously reported
Achieve 95%+ first-pass success rates within hours of policy or patch deployment
Library of 5,000+ compliance settings, including support for FDCC SCAP, DISA STIG
Automatically and continuously enforce policy at the end point
© 2012 IBM Corporation
IBM Security Systems
24
The Tivoli Endpoint Manager Approach
ISO/IEC
27001
Reporting and Enforcement on 5,000+ Controls
PIPEDA/
PIPA
© 2012 IBM Corporation
IBM Security Systems
25
TEM for SCM – Meeting Endpoint Compliance Requirements
Requirement PCI ISO 27001 CobIT NIST 800-53
Implement anti-malware and keep endpoints current 5.1, 5.2 A12.6 DS5.9 SI-3
Define, implement, and enforce security configuration baselines
2.1, 2.2, 6.2
A12.1, A15.2
DS9 CM-2,4,6
Keep endpoints patched 6.1 A12.6 DS5.9 CM-2
Perform regular vulnerability scans and address findings 11.2 A12.6 PO9.3 RA-5
Keep a current network diagram, know when things are added to the network
1.1 A7.1 DS13.3 CM-8
Install, maintain endpoint firewalls, NAC 1.4 A11.4 DS5.10 AC-19
© 2012 IBM Corporation
IBM Security Systems
26
Compliance Dashboard / Reporting
• Real-time and historical visibility into the state of compliance
• Identify critical gaps in compliance to defined policy
• Customize dashboard to create different “lenses” into the compliance state• Computer Groups• Categories• Policy Templates
• Drill-down into specific details of non-compliant or compliant systems
• Compliance Focused executive reporting via web reports and DSS
© 2012 IBM Corporation
IBM Security Systems
27
Security & Compliance Customer Success Stories
Financial Company
• Failed internal audit of information security configuration compliance
• Highly distributed infrastructure with centralized visibility and reporting
• Customized SCM Controls to meet internal SCM requirements
• Failed PCI Audit due to poor configuration policy enforcement
• No visibility into system configurations and no ability to report on
compliance status
• No ability to enforce configuration standards across infrastructure
• Leveraged SCM Controls to achieve PCI specific requirements
• Ongoing failures to secure systems and mitigate against threats caused
by poorly configured and badly managed systems
• Systems highly susceptible to internal abuse and external attack
• Leveraged out-of-the-box DISA STIG SCM checklists to assess
compliance and automate remediation of non-compliant systems.Government Agency
Retail Chain
© 2012 IBM Corporation
IBM Security Systems
28
Problem #4: Network threats…
� X-Force R&D team discovers and analyzes previously unknown vulnerabilities in critical software and infrastructure such as: e-mail, networks, Internet applications, security protocols, business applications and VoIP.
� Additional to its own research, X-Force reviews each published vulnerability in order to monitor the threat landscape, determining new attack vectors, and offering a higher level of protection.
� One of X-Force’s publications is the quarterly Threat Insight report
28
Source: IBM X-Force Database
IBM Security Research and Development: X-Force
© 2012 IBM Corporation
IBM Security Systems
29
Preemptive Ahead of the Threat Security – backed up by data
29
Top 61 Vulnerabilities 2009
341 Average days Ahead of the Threat
91 Median days Ahead of the Threat
35 Vulnerabilities Ahead of the Threat
57% Percentage of Top Vulnerabilities –Ahead of the Threat
9 Protection released post announcement
17 same day coverage
1H2010 – Average days Ahead of the Threat
increased to 437!
© 2012 IBM Corporation
IBM Security Systems
30
IBM Security Network IPS
� IBM Security Network IPS is an Appliance
� Core protection engine – Protocol Analysis Module (PAM) –delivers the most efficient IPS engine available
� Vulnerability-based protection requires fewer detection algorithms than competitive solutions that require a new signature for every new exploit
� Clients benefit with greater protection from fewer detection algorithms
– Provides capacity for new features like Content Analysis and Web application security
– Protection for older threats don’t have to be removed to maintain speed/ performance
� Clients benefit as X-Force continues to invest in PAM
– Multithreaded version in development http://nsslabs.blogspot.com/2009/05/nss-awards-first-gold-in-5-years.html
IBM is the first vendor to
secure three NSS Labs Gold Awards in a row
© 2012 IBM Corporation
IBM Security Systems
31
IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4
� 5 Security Features
– Rootkit Detection, Firewall, Intrusion Prevention, Virtual Network Admission Control, Auditing.
� VSP cannot monitor host-based events (e.g. file integrity) which require local installation
� VSP plugs into VMsafe and therefore cannot prevent threats to the underlying hardware and virtual network cards.
© 2012 IBM Corporation
IBM Security Systems
32
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.