IBM Security Systems

IBM Security Systems
Smarter Security per MSP
Giovanni Todaro
IBM Security Systems Leader
Le tecnologie Innovative stanno cambiando tutto attorno a noi…
2
1.000 miliardi
di oggetti
collegati
1 Miliardo di
lavoratori mobile
Social business
Bring your
own IT
Cloud e
virtualizzazione
© 2013 IBM Corporation
Attacchi: Motivazioni e raffinatezza sono in rapida evoluzione
Nazioni – Stati
Cyberwar
Stuxnet
Sicurezza
Nazionale
Spionaggio,
Attivismo
Guadagno
Finaziario
Vendetta,
Curiosità
3
Competitors e Hacktivists
Aurora
Criminalità Organizzata
Zeus
Insiders and
Script-kiddies
Code Red
© 2013 IBM Corporation
Il mondo sta diventando più digitalizzato ed interconnesso,
aprendo la porta alle minacce emergenti e le perdite di dati…
IBM Security
Solutions Focus
DATA
EXPLOSION
CONSUMERIZATION
OF IT
4
Le organizzazioni continuano a
muoversi a nuove piattaforme compresi
cloud, virtualizzazione, mobile, social
business e molto altro ancora
SECURITY
INTELLIGENCE
Con l'avvento di Enterprise 2.0 e di
social business, la linea tra le ore di uso
personale e professionale, i dispositivi e
dei dati è scomparso
MOBILE
SECURITY
EVERYTHING
IS EVERYWHERE
L'età dei Big Data - l'esplosione di
informazioni digitali - è arrivata ed è
facilitata dalla pervasività delle
applicazioni accessibili da ovunque
ATTACK
SOPHISTICATION
La velocità e la destrezza degli attacchi
è aumentata accoppiata con nuove
motivazioni della criminalità informatica
CLOUD
SECURITY
ADVANCED
THREAT
© 2013 IBM Corporation
IBM Vi porta nell’Era della Security Intelligence
IBM Security Solutions
Le organizzazioni hanno bisogno di un nuovo
approccio alla sicurezza che sfrutta l'intelligenza per
stare al passo con l'innovazione.
IBM Security Intelligence guida il cambiamento da
una strategia "point-product" ad un framework
integrato di sicurezza aziendale:
La traduzione dei dati di Security in conoscenze
fruibili:
•Riduce i rischi ed i costi commerciali
•Innovazione con agilità e sicurezza
• Migliora la continuità operativa
13 Miliardi
di eventi
di Security
gestiti
giornalmente
5
1,000 Security
Patents
9 Security
Operations
Centers
600 Security
Sales
Professionals
11 Laboratori
di sviluppo
per Soluzioni
di Security
© 2013 IBM Corporation
IBM Security: Fornire l'intelligenza, l'integrazione e le competenze
in un Framework completo
Incrementa
Incrementa la
la Accuratezza
Accuratezza ee la
la
consapevolezza
consapevolezza nella
nella Security
Security
Individuare
Individuare ee prevenire
prevenire minacce
minacce avanzate
avanzate
Una
Una maggiore
maggiore visibilità
visibilità ee consapevolezza
consapevolezza della
della
situazione
situazione
Condurre
Condurre indagini
indagini complete
complete sugli
sugli incidenti
incidenti
Semplicità
Semplicità di
di Gestione
Gestione
Semplificare
Semplificare la
la gestione
gestione del
del rischio
rischio ee ilil processo
processo
decisionale
decisionale
Migliorare
Migliorare le
le capacità
capacità di
di controllo
controllo ee di
di accesso
accesso
Riduzione
Riduzione dei
dei costi
costi ee complessità
complessità
Fornire
Fornire una
una rapida
rapida installazione,
installazione, un
un minore
minore TCO
TCO
lavorando
con
un
unico
partner
strategico,
con
lavorando con un unico partner strategico, con
un
un ampio
ampio portafoglio
portafoglio integrato
integrato
Intelligence
Intelligence ●● Integration
Integration ●● Expertise
Expertise
6
© 2013 IBM Corporation
Fattori chiave che influenzano il business del sw di sicurezza
Non è più sufficiente proteggere il perimetro - attacchi sofisticati stanno aggirando le difese tradizionali, le risorse IT sono in
movimento al di fuori del firewall, e le applicazioni aziendali ed i dati sono sempre più distribuite su diversi dispositivi
1. Advanced Threats
2. Cloud Computing
La sicurezza è una delle preoccupazioni principali del
cloud, in quanto i clienti drasticamente ripensano il
modo in cui sono state progettate, distribuite e
consumate le risorse IT.
Sofisticati, attacchi mirati, volti a ottenere l'accesso
continuo alle informazioni critiche, sono in aumento
nella severità e nella ricorrenza.
Advanced Persistent Threats
Stealth Bots Designer Malware
Targeted Attacks Zero-days
3. Mobile Computing
Come gestire dispositivi di proprietà dei dipendenti e
garantire connettività alle applicazioni aziendali sono
esigenze da indirizzare per i CIO ampliando il
supporto per dispositivi mobili.
7
Enterprise
Customers
4. Regulations and Compliance
Le pressioni normative e le conformità continuano ad
aumentare insieme alla necessità di memorizzare i
dati sensibili e le aziende diventano suscettibili ai
fallimenti di audit.
© 2013 IBM Corporation
Fattori chiave che influenzano il business del sw di sicurezza
Non è più sufficiente proteggere il perimetro - attacchi sofisticati stanno aggirando le difese tradizionali, le risorse IT sono in
movimento al di fuori del firewall, e le applicazioni aziendali ed i dati sono sempre più distribuite su diversi dispositivi
1. Advanced Threats
2. Cloud Computing
La sicurezza è una delle preoccupazioni principali del
cloud, in quanto i clienti drasticamente ripensano il
modo in cui sono state progettate, distribuite e
consumate le risorse IT.
Sofisticati, attacchi mirati, volti a ottenere l'accesso
continuo alle informazioni critiche, sono in aumento
nella severità e nella ricorrenza.
BIG DATA
Advanced Persistent Threats
Stealth Bots Designer Malware
Targeted Attacks Zero-days
3. Mobile Computing
Come gestire dispositivi di proprietà dei dipendenti e
garantire connettività alle applicazioni aziendali sono
esigenze da indirizzare per i CIO ampliando il
supporto per dispositivi mobili.
8
Enterprise
Customers
4. Regulations and Compliance
Le pressioni normative e le conformità continuano ad
aumentare insieme alla necessità di memorizzare i
dati sensibili e le aziende diventano suscettibili ai
fallimenti di audit.
© 2013 IBM Corporation
Una migliore protezione contro gli attacchi più sofisticati
Misconfigured
Firewall
0day Exploit
Malicious PDF
Phishing Campaign
Vulnerable Server
Spammer
Infected Website
SQL Injection
Botnet Communication
On the
Network
9
IBM Advanced
Threat Protection
Across the
Enterprise
IBM QRadar
Security Intelligence
Brute Force
Malicious Insider
Across the
World
IBM X-Force® Threat
Intelligence
© 2013 IBM Corporation
IBM offre Soluzioni di Security in tutte le aree della Cloud Security
IBM protegge contro i rischi di cloud comuni con un ampio portafoglio di soluzioni
flessibili e di livelli di sicurezza
IBM Security
Federated Identity
Manager
10
IBM Security
Key Lifecycle
Manager
Protezione contro le minacce, riconquistare visibilità e dimostrare la
compliance con il monitoraggio delle attività, il rilevamento delle
anomalie e la Security Intelligence
© 2013 IBM Corporation
Mettere in sicurezza il Mobile Enterprise con le soluzioni IBM
11
© 2013 IBM Corporation
La strategia IBM per la Data Security
Data
Security
• Proteggere i dati in qualsiasi forma, in qualsiasi luogo,
da minacce interne o esterne
• Semplificare i processi di Compliance
• Ridurre i costi operativi circa la protezione dei dati
Governance,
Governance, Security
Security Intelligence,
Intelligence, Analytics
Analytics
Audit,
Audit, Reporting,
Reporting, and
and Monitoring
Monitoring
12
integrate
integrate
Security Solutions
Solutions
Security
Data
Data Discovery
Discovery and
and Classification
Classification
Stored
over Network
at Endpoint
(Databases, File Servers,
Big Data, Data
Warehouses, Application
Servers, Cloud/Virtual ..)
(SQL, HTTP, SSH, FTP,
email,. …)
(workstations, laptops,
mobile,…)
IT &
& Business
Business Process
Process
IT
Policy-based
Policy-based Access
Access and
and Entitlements
Entitlements
© 2013 IBM Corporation
Un Portfolio completo in tutti i domini di sicurezza
Security
Ecosystem
Partner
Partner
Programs
Programs
rd
(3
(3rd party)
party)
Standards
13
© 2013 IBM Corporation
IBM Identity and Access Management - Visione e Strategia
Temi Chiave…
Standardized IAM
and Compliance Management
Expand IAM vertically to provide
identity and access intelligence to
the business; Integrate horizontally
to enforce user access to data, app,
and infrastructure
14
Secure Cloud, Mobile, Social
Interaction
Enhance context-based access
control for cloud, mobile and SaaS
access, as well as integration with
proofing, validation and
authentication solutions
Insider Threat
and IAM Governance
Continue to develop Privileged
Identity Management (PIM)
capabilities and enhanced Identity
and Role management
© 2013 IBM Corporation
Data Security Vision
QRadar
Integration
Across Multiple
Deployment
Models
Temi Chiave…
Reduced Total Cost
of Ownership
Expanded support for databases
and unstructured data, automation,
handling and analysis of large
volumes of audit records, and new
preventive capabilities
15
Enhanced Compliance
Management
Enhanced Database Vulnerability
Assessment (VA) and Database
Protection Subscription Service
(DPS) with improved update
frequency, labels for specific
regulations, and product integrations
Dynamic
Data Protection
Data masking capabilities for
databases (row level, role level) and
for applications (pattern based, form
based) to safeguard sensitive and
confidential data
© 2013 IBM Corporation
Application Security Vision
Temi Chiave…
Coverage for Mobile applications
and new threats
Continue to identify and reduce risk
by expanding scanning capabilities
to new platforms such as mobile, as
well as introducing next generation
dynamic analysis scanning and
glass box testing
16
Simplified interface and
accelerated ROI
New capabilities to improve
customer time to value and
consumability with out-of-the-box
scanning, static analysis templates
and ease of use features
Security Intelligence
Integration
Automatically adjust threat levels
based on knowledge of application
vulnerabilities by integrating and
analyzing scan results with
SiteProtector and the QRadar
Security Intelligence Platform
© 2013 IBM Corporation
Infrastructure Protection – Endpoint Vision
Temi Chiave…
Security for
Mobile Devices
Provide security for and manage
traditional endpoints alongside
mobile devices such as Apple iOS,
Google Android, Symbian, and
Microsoft Windows Phone - using a
single platform
17
Expansion of
Security Content
Continued expansion of security
configuration and vulnerability
content to increase coverage for
applications, operating systems,
and industry best practices
Security Intelligence Integration
Improved usage of analytics providing valuable insights to meet
compliance and IT security
objectives, as well as further
integration with SiteProtector and
the QRadar Security Intelligence
Platform
© 2013 IBM Corporation
Threat Protection Vision
Security
Intelligence
Platform
Threat
Intelligence
and Research
Advanced
Threat
Protection
Log
Manager
SIEM
Network
Activity
Monitor
Risk
Manager
Future
Vulnerability
Data
Malicious
Websites
Malware
Information
IP Reputation
Future
Intrusion
Prevention
Content
and Data
Security
Web
Application
Protection
Network
Anomaly
Detection
Application
Control
Future
IBM Network
Security
Temi Chiave…
Advanced Threat Protection
Platform
Helps to prevent sophisticated
threats and detect abnormal network
behavior by using an extensible set
of network security capabilities - in
conjunction with real-time threat
information and Security Intelligence
18
Expanded X-Force
Threat Intelligence
Increased coverage of world-wide
threat intelligence harvested by XForce and the consumption of this
data to make smarter and more
accurate security decisions
Security Intelligence Integration
Tight integration between the
Advanced Threat Protection
Platform and QRadar Security
Intelligence platform to provide
unique and meaningful ways to
detect, investigate and remediate
threats
© 2013 IBM Corporation
X-Force Threat Intelligence: The IBM Differentiator
X-Force database – il più esteso catalogo di vulnerabilità
Web filter database – il DB relativo a Siti infetti o malevoli
IP Reputation – botnets, anonymous proxies, bad actors
Application Identification – web application information
X-Force Threat
Intelligence Cloud
19
Vulnerability Research – le + aggiornate vulnerabilità e protezioni
Security Services – gestiscono IPS più di 3000 Clienti
© 2013 IBM Corporation
Security Intelligence: L'integrazione tra silos IT
Security Devices
Servers & Hosts
Network & Virtual Activity
Event Correlation
Database Activity
Offense
Activity Baselining & Identification
Anomaly Detection
Application Activity
Configuration Info
Vulnerability Info
User Activity
Extensive Data Sources
High Priority Offenses
+
Deep
Intelligence
=
Exceptionally Accurate and
Actionable Insight
JK 2012-04-26
20
© 2013 IBM Corporation
Tutti i domini alimentano la Security Intelligence
Correlate new threats based on
X-Force IP reputation feeds
Hundreds of 3rd party
information sources
Guardium
Identity and Access Management
Database assets, rule logic and
database activity information
Identity context for all security
domains w/ QRadar as the dashboard
Tivoli Endpoint Manager
Endpoint Management
vulnerabilities enrich QRadar’s
vulnerability database
21
IBM Security Network
Intrusion Prevention System
Flow data into QRadar turns NIPS
devices into activity sensors
AppScan Enterprise
AppScan vulnerability results feed
QRadar SIEM for improved
asset risk assessment
© 2013 IBM Corporation
IBM Qradar
La Security Intelligence per la protezione dei Data Center
Luigi Perrone
IBM SWG - Security Systems & z/OS Security
Agenda
Qradar overview
Demo
Considerazioni finali
23
© 2013 IBM Corporation
Perché una Security Intelligence ?
• Risposta alle esigenze di auditing
• Automazione e snellimento dei processi di raccolta eventi
• Collezionamento eventi multi-sorgente
• Gestione e archiviazione sicura dei dati di log (conformità alle
normative)
• Aggregazione dati e correlazione eventi
• Monitor ed analisi dati per:
- identificazione scoperture/anomalie di sicurezza
- attivazione allarmi
- avvio processi investigativi
- report di conformità
24
© 2013 IBM Corporation
Le fasi che riguardano il ciclo di vita degli eventi
25
© 2013 IBM Corporation
1 - Un efficiente gestione degli eventi
Forte acquisizione, profonda analisi, elevata reattività
MONITOR & ASSET
DISCOVERY
• Registrazione in tempo
reale
• Facilità di configurazione
• Modalità agent-less
• Integrazione standard di
molteplici dispositivi
•
•
•
•
•
Auto-discovery of log sources
Auto-discovery of applications
Auto-discovery of assets
Auto-grouping of assets
Centralized log management
VA
Scanner
syslog
nflow
sflow
wmi
odbc
jdbc
qflow
wincollect
ftp/sftp
jflow
snmp
Log Event
Event Flows
IDS-IPS
Switch-Router
26
snare
Firewall
Server
Applications
Database
© 2013 IBM Corporation
2 - Un potente motore di elaborazione e correlazione
Un potente motore di correlazione analisi investigativa e reportistica avanzata
per l’identificazione di eventi critici e loro immediata risoluzione
Advanced security analytics
Auto-tuning
Auto-detect threats
27
Easy-to-use event filtering
ANALYSYS
Thousands of pre-defined rules
© 2013 IBM Corporation
3 - Allarmi in tempo reale e profondità investigativa
• Controllo chiaro e completo di tutte le attività di rete con monitoraggio in
tempo reale
• Avvisi ed individuazione di eventi insoliti rispetto alla condizione di normalità
• Analisi investigativa e reportistica avanzata
• Report di sicurezza standard integrati e di facile personalizzazione
ACTIONS & REPORTS
•
•
•
•
•
28
Thousands of predefined reports
Asset-based prioritization
Auto-update of threats
Auto-response
Directed remediation
© 2013 IBM Corporation
Qradar: le componenti
Log Management
Risk Management
• Turnkey log management
• Predictive threat modeling & simulation
• Upgradeable to enterprise SIEM
• Scalable configuration monitoring & audit
SIEM
Scale
• Sophisticated event analytics
• Event processors
• Asset profiling and flow analytics
• Network activity processors
Network Activity and Anomaly Detection
29
Visibility
• Network analytics
• Layer 7 application monitoring
• Behavioral and anomaly detection
• Content capture
© 2013 IBM Corporation
30
© 2013 IBM Corporation
31
© 2013 IBM Corporation
Next Generation IPS
Salvatore Sollami
IBM Security Systems Technical Sales and Solutions
The challenging state of network security
Stealth Bots • Targeted Attacks
Worms • Trojans • Designer Malware
URL Filtering • IDS / IPS
IM / P2P • Web App Protection
Vulnerability Management
33
SOPHISTICATED
ATTACKS
Increasingly sophisticated
attacks are using multiple
attack vectors and increasing
risk exposure
STREAMING
MEDIA
Streaming media sites are
consuming large amounts of
bandwidth
SOCIAL
NETWORKING
Social media sites present
productivity, privacy and
security risks including new
threat vectors
POINT
SOLUTIONS
Point solutions are siloed with
minimal integration or data sharing
© 2013 IBM Corporation
Network Defense: Traditional solutions not up to today’s challenges
Current Limitations
Threats continue to evolve and standard methods
of detection are not enough
Streaming media sites and Web applications
introduce new security challenges
Internet
Stealth Bots
Worms, Trojans
Targeted Attacks
Designer Malware
Basic “Block Only” mode limits innovative use of
streaming and new Web apps
Firewall/VPN – port
and protocol filtering
Poorly integrated solutions create “security
sprawl”, lower overall levels of security, and raise
cost and complexity
Requirement: Multi-faceted Protection
0-day threat protection tightly integrated with
other technologies i.e. network anomaly detection
Ability to reduce costs associated with nonbusiness use of applications
Controls to restrict access to social media sites by
a user’s role and business need
Email Gateway – message
and attachment security only
Web Gateway – securing
web traffic only, port 80 / 443
Everything Else
Multi-faceted
Network Protection
– security for all traffic,
applications and users
Augment point solutions to reduce overall cost
and complexity
34
© 2013 IBM Corporation
The Need to Understand the Who, What, and When
Web Category
Protection
Server
Access Control
Protocol Aware
Intrusion
Protection
Network
Geography
Web Applications
Non-web Applications
Client-Side
Protection
Reputation
Botnet
Protection
User or Group
Network
Awareness
Web Protection
Reputation
Who
35
172.29.230.15, Bob, Alice
Allow marketing and
sales teams to access
social networking sites
What
80, 443, 21, webmail, social networks
Block attachments on
all outgoing emails
and chats
A more strict security
policy is applied to
traffic from countries
where I do not do business
Advanced inspection
of web application traffic
destined to my web servers
Block known botnet
servers and phishing
sites
Allow, but don’t inspect,
traffic to financial and
medical sites
Traffic Controls
Policy
© 2013 IBM Corporation
July
The Advanced Threat Protection Platform
Security
Intelligence
Platform
Threat
Intelligence
and Research
Advanced
Threat
Protection
Platform
Log Manager
Vulnerability Data
Intrusion
Prevention
SIEM
Network
Activity Monitor
Malicious Websites
Content
and Data
Security
Vulnerability
Manager
Malware Information
Web
Application
Protection
Network
Anomaly
Detection
Risk Manager
IP Reputation
Application
Control
IBM Network
Security
NEW
Advanced Threat Protection
Platform
Ability to prevent sophisticated
threats and detect abnormal
network behavior by leveraging
an extensible set of network
security capabilities - in
conjunction with real-time threat
information and Security
36Intelligence
Expanded X-Force
Threat Intelligence
Increased coverage of world-wide
threat intelligence harvested by
X-Force and the consumption of
this data to make smarter and
more accurate security decisions
across the IBM portfolio
Security Intelligence Integration
Tight integration between the
Advanced Threat Protection
Platform and QRadar Security
Intelligence platform to provide
unique and meaningful ways to
detect, investigate and remediate
threats
© 2013 IBM Corporation
Next Generation Network IPS
37
© 2013 IBM Corporation
Understanding who, what, and when
Immediately discover
which applications and
web sites are being
accessed
Quickly Identify misuse
by application, website,
user, and group
Understand who and
what are consuming
bandwidth on the network
Superior detection of
advanced threats
through integration with
QRadar for network
anomaly and event details
Network flows can be
sent to QRadar for
enhanced analysis,
correlation and
anomaly detection
Increase Security
38
Identity context ties
users and groups with
their network activity going beyond IP
address only policies
Reduce Costs
Application context
fully classifies network
traffic, regardless of
port, protocol or
evasion techniques
Enable Innovation
© 2013 IBM Corporation
Next Gen IPS: IBM Security Network Protection
XGS 5100
NEW WITH XGS
NEW WITH XGS
PROVEN SECURITY
ULTIMATE VISIBILITY
COMPLETE CONTROL
Extensible, 0-Day protection
powered
by X-Force®
Understand the
Who, What and When for all
network activity
Ensure appropriate
application and network use
IBM Security Network Protection XGS 5100
builds on the proven security of IBM intrusion prevention solutions by delivering the
addition of next generation visibility and control to help balance security and business
requirements
39
© 2013 IBM Corporation
Proven Security: Extensible, 0-Day Protection Powered by X-Force®
Next Generation IPS powered
by X-Force® Research
protects weeks or even months
“ahead of the threat”
Full protocol, content and
application aware protection
goes beyond signatures
Expandable protection
modules defend against
emerging threats such as
malicious file attachments and
Web application attacks
IBM Security Network Protection XGS 5000
IBM Security Threat Protection
– Backed by X-Force®
– 15 years+ of vulnerability
research and
development
– Trusted by the world’s
largest enterprises and
government agencies
– True protocol-aware
intrusion prevention, not
reliant on signatures
– Specialized engines
• Exploit Payload Detection
• Web Application Protection
• Content and File Inspection
Ability to protect against the threats of today and tomorrow
40
© 2013 IBM Corporation
QRadar Network Anomaly Detection
QRadar Network Anomaly Detection is a
purpose built version of QRadar for IBM’s
intrusion prevention portfolio
The addition of QRadar’s behavioral
analytics and real-time correlation helps
better detect and prioritize stealthy attacks
Supplements visibility provided by IBM
Security Network Protection’s Local
Management (LMI)
Integration with IBM Security Network
Protection including the ability to send
network flow data from XGS to QRadar
41
© 2013 IBM Corporation
IBM X-Force® Threat
Information Center
Identity and
User Context
42
Real-time Security Overview
w/ IP Reputation Correlation
Real-time Network Visualization
and Application Statistics
Inbound
Security Events
© 2013 IBM Corporation
The XGS 5100: The Best Solution for Threat Prevention
Internet
Better Network Control
Natural complement to current Firewall and VPN
Stealth Bots
Worms, Trojans
Targeted Attacks
Designer Malware
Not rip-and-replace – works with your existing
network and security infrastructure
More flexibility and depth in security and control over
users, groups, networks and applications
Firewall/VPN – port
and protocol filtering
Better Threat Protection
True Protocol aware Network IPS
Higher level of overall security and protection
Email Gateway – message
and attachment security only
More effective against 0-day attacks
Best of both worlds – true protocol and heuristicbased protection with customized signature support
Web Gateway – securing
web traffic only, port 80 / 443
Everything Else
IBM Security Network Protection XGS 5100
Proven Security
43
Ultimate Visibility
Complete Control
© 2013 IBM Corporation