Category: Security Intelligence
What you don’t know can still hurt you
When it comes to enterprise security, no news is not necessarily good news. A common challenge to the need for greater security is the lack of visible incidents. But, the question that needs to be answered is: Would you know? A lack of alerts about attempts to attack your system or actual intrusions doesn’t mean they didn’t happen—because chances are, they did.
Many large organizations track multiple attempts a week. A lack of alerts just means that while previous attacks were unsuccessful, you may not have received the information and insight you need from your security system to protect against the next attack. That next attack could be successful—and devastating.
No system is immune to threats
In today’s interconnected business environment, no system is immune to threats, including mainframe environments. In the security-sensitive healthcare sector, for example, a recent survey revealed that:
43% of organizations graded their ability to withstand security threats as poor, failing, or in need of improvement.
23% of organizations admitted to security breaches in a recent 12-month period.
Security issues don’t happen in a vacuum, but few security solutions are broad and integrated enough to deliver insights that make a difference. Information provided by third-party log management and security information and event management (SIEM) solutions typically includes voluminous data with limited context—and hence, limited value. Identifying who did what and when, recognizing what’s abnormal, and obtaining visibility into subtle connections between millions of data points are the goals—but achieving them requires a great deal of contextual data and the analytical means to make sense of it.
Making sense of all the data
Security intelligence. That’s what we at IBM Security call the approach to enterprise security that we have developed. Using multiple solutions, IBM Security delivers integrated threat analysis, real-time alerts, audit consolidation and compliance reporting to help you keep pace with today’s increasing threats with a single view into the risks affecting both mainframe and distributed systems. Covering people, data, applications and infrastructure, the IBM security intelligence program includes the automated analysis and reporting capabilities you need to deal with the complexity of event monitoring and reporting without burying your staff with an endless stream of log data that does not record threats.
And, while the mainframe itself can save up to 70% in audit overhead, security intelligence can increase the depth of insight and real-time anomaly detection, improving the integrity of systems and protecting your mission-critical workloads.
Only a highly integrated series of solutions, like those found in the IBM security intelligence offering, can produce the necessary visibility to safeguard your environment. Security intelligence enables the organization to better discover and respond to:
- External threats such as financially-motivated criminals and “hacktivists” seeking sensitive data
- Internal threats such as employee theft of intellectual property
- Unintentional but exploitable weaknesses such as misconfigured security devices or improperly configured access controls
To achieve consistent reporting on vulnerabilities or threats, including monitoring privileged and non-privileged users, the organization needs centralized logging and intelligent normalization of security data. To ensure that compliance and security goals align, it needs visibility into network segments where logging may be problematic. To discover unknown, excessive or unauthorized mainframe access, it needs visibility into asset communication patterns.
It has never been more difficult to protect both your mainframe and distributed environments—and if you are not able to connect the dots between disparate security data in a manageable and insightful way, the time is now to consider new approaches. Security intelligence offerings from IBM help provide organizations with comprehensive and actionable insight into threats and risks in mainframe and distributed systems environments. Applying real-time collection, normalization, and analysis of access information and other security-related data, it can reduce both the risk of security breaches and—just as important—the manual effort of security operations, freeing your team to focus on more serious incidents rather than wading through an endless stream of data without context.
If you want to read more about security intelligence for mainframe I invite you to read the following whitepaper:
Post by Glinda Cummings
Posted by John Burnham in Security Intelligence
Just as surely as spring has established a foothold on Cape Cod, the SIEM Magic Quadrant for 2013 has published. The news is out, and IBM Security has improved our position as a Leader in the 2013 Magic Quadrant for SIEM (Security Information and Event Management) again — marking the 5th year in a row that IBM Security/Q1 Labs has achieved this leadership position. For the first time, IBM/Q1 Labs is in the top position in the SIEM MQ.
IBM/Q1 Labs also received outstanding scores and improved standings in the 2013 SIEM Critical Capabilities report, which provides numerical ratings of vendors by capability and use case.
Back to bragging: IBM/Q1 Labs is rated #1 (above every other vendor) on “Ability to Execute” (the Y-axis). This represents overall viability, product/service, customer experience, market responsiveness, product track record, sales execution, operations and marketing execution.
- IBM/Q1 Labs is rated above major competitors (McAfee/Nitro, Splunk, LogRhythm, and RSA) on both “Ability to Execute” and “Completeness of Vision” (the X-axis). Completeness of Vision represents product strategy, innovation, market understanding, geographic strategy, and other factors.
- IBM/Q1 Labs is rated highest in the Critical Capabilities report for essential elements of Security Intelligence with Big Data: Analytics and Behavior profiling
- IBM/Q1 Labs is the highest rated in the SIEM Use Case, Product Rating, and Overall Use Case categories.
Besides vendor chest-thumping, what does this mean to our customers? Simply this: the creation and development of the IBM Security Systems division concurrent with the acquisition of Q1 Labs ensured:
- Customer-facing focus
- Continued and increased investments in Security Intelligence
- More opportunities to engage with more customers worldwide
- More 3rd party partnerships to ensure Big Data collection from more and more sources
- Resources unique to IBM. And face it, no one knows data like IBM.
Mining Big Data for Better Security Intelligence
Today, IBM Security Systems announced a “Breakthrough with Combination of Security Intelligence and Big Data – Data Analytics Helps Organizations Hunt for Cyber Attacks.” By combining the worlds of business and security intelligence, organizations have the ability to analyze data in new ways resulting in the ability to detect threats that they would have previously missed and react faster with more accurate and timely results. Sandy Bird, CTO for IBM Security Systems, wrote an interesting blog post on this topic where he talks about how the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Excerpt from the IBM Smarter Planet Blog:
Over the years the game of cat and mouse between attackers and people tasked with defending networks against their advances has evolved to become increasingly more complex. Every new advance in defensive technologies has forced attackers to adopt new tactics, and every new attack technique has produced a new security start-up. The result of this game has been that some of the most diligent and advanced security organizations in the world have deployed over 60 different security products, products that infrequently communicate with one another. Unfortunately, this has not proven a sustainable long-term approach to the security challenge as attacks have become more complicated, difficult to detect and even far reaching. Realistically, we can’t rely on any single product to be successful 100% of the time. The question is, if we understand the realities associated with perfection, why do we continue to embrace strategies that seem to rely on products being successful in isolation?
We need a different, foundational approach to the security challenges associated with sophisticated attackers….the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Read Sandy’s full post on the IBM Smarter Planet Blog for answers to questions like “How to identify and combine those subtle data indicators of an attack?” and “Does a security strategy need to change just because another piece was added to the puzzle?”
If you are interested in learning more about IBM Security Intelligence for Big Data be sure to check out:
VIDEO The Role Big Data Plays in Solving Complex Security Problems
INFOGRAPHIC on A Big Data Approach to Security Intelligence
IBM Security Systems website: For access to more product information, white papers and more
As I sat down to watch the new James Bond film with my usual supplies of fizzy drinks and sugary sweets, I was very surprised when he decided to take on the cyber terrorist at large and solve the problem single-handedly, physically and without the need for a Security product in sight!
Of course we don’t all have our a secret agent in our organization, driving around eradicating danger. However, security teams can prepare and have clear flexible strategies in place to reduce risk on their network.
The premise of the film (spoiler alert) is a cyber terrorist getting into the British Secret Service network undetected and causing harm to key personnel. The clever methods used to infiltrate the network highlight what is happening on a daily basis to security teams globally, and though a great film, probably made many security personnel squirm slightly in their chairs when seeing the consequences that could occur!
From internal constraints to the rise of Advanced Persistent Threats (an ESG research report highlighted that 59% of enterprise organizations think they have been a target of on APT attack), the role of the security team is becoming ever more complex. The requirement for a clear security strategy, which is able to adapt and be flexible to an organization evolving needs, is vital.
In an exclusive webcast with Dark Reading on 12/13/2012 at 1200 ET Q1 Labs very own James Bond, Michael Applebaum and Jon Oltsik, Senior Principal Analyst at ESG will be presenting “Information Security in Transition: Top things to consider in 2013”. In this must attend event there will be recommendations on how to improve your organizations’ information security model and importantly key issues that you are likely to face in 2013.
If you don’t want to wait for our webcast to get this information, please download Jon Oltsik’s report “Enterprise Information Security in Transition”.
If you want to skate to where the puck is going in security today, it’s best to think big – as in Big Data. To detect stealthy breaches by advanced adversaries, you need to analyze a greater volume and variety of data, at a greater velocity – the so-called “3 V’s” of Big Data. Big Data analytics is as critical to security as to any other field, because it holds the promise of analyzing data sets too large to process in the past – in other words, solving previously unsolvable problems. In this way, it can help discover insights – such as security compromises or malicious behavior – that would have otherwise lay hidden.
The best way to obtain security analytics at Big Data scale is with a purpose-built security intelligence architecture that can scale to meet your needs, unpredictable as they might be. You want a solution that can expand as your business grows, as you analyze new types of security data, and as your security process maturity increases. One requiring minimal administration but offering maximum flexibility. In other words, a security intelligence cloud.
Just what is a security intelligence cloud? (No, it’s not a cloud-delivered security intelligence solution.)
It starts with the building blocks of security intelligence:
- Integrated capabilities for SIEM, log management, behavioral anomaly detection, configuration & vulnerability management, and forensics
- Via a pre-packaged and scalable solution, just as you would expect from a SaaS application
This contrasts with the inflexible architectures and non-scalable databases of legacy security products.
Let’s consider the most appealing characteristics of cloud computing and their role in a Security Intelligence (SI) Cloud:
- Scalability and elasticity – This is arguably the most central aspect of cloud computing, and the security intelligence cloud in particular. Through an architecture that supports high-speed data collection and real-time correlation, using a flexible and distributed database, an SI cloud not only performs security analytics at Big Data scale but also adjusts on-demand to changing needs.
- Location independence – A security intelligence cloud enables you to capture data from anywhere in your network, correlate it globally, and make it available instantaneously to users worldwide. By using a federated, distributed data architecture that abstracts physical data stores, an SI cloud eliminates underlying data management complexity – just as an IaaS cloud solution abstracts the physical locations and capacities of server hardware from the IaaS customer.
- Agility – An essential element of the cloud model, agility is critical for security intelligence deployments because the volume and variety of data monitored will grow over time, and you might need to change the types or locations of data collection sensors across your network.
- Cost structure – Whether you deploy your security intelligence cloud on a (virtualized) cloud platform might determine how much you end up substituting operational for capital expense, but either way, an SI cloud should provide a cost-effective and growth-friendly solution that doesn’t require large expenditures for incremental volume increases.
- Maintenance – An SI cloud can offer further benefit through the use of appliances that are pre-configured and require minimal infrastructure management. This allows users to focus on the task at hand: detecting the risks that matter and remediating them appropriately.
- Reliability – A modern SI cloud offers native, integrated high availability and data redundancy to enhance overall reliability, like public cloud services.
Just as server virtualization is a foundational technology for cloud computing, a security intelligence cloud can leverage virtualization for cost and agility benefits, as warranted by the organization’s preferences, existing virtual infrastructure, and provisioning speed requirements. It can run on-premise, off-premise or in a hybrid of both. While most customers find the provisioning of hardware appliances fast enough, virtual appliances provide an excellent option when on-demand capacity is needed in minutes.
What’s most important, though, is for the SI cloud to provide a highly elastic data management layer, so that actual system capacity can increase proportionately with storage and computing, rather than get bottlenecked due to architectural constraints.
Collectively, these capabilities enable a security intelligence cloud to be an agile platform for big data security analytics. And we believe QRadar provides the ideal security intelligence cloud, because it fits the requirements above so well.
Major enterprises are using QRadar today to collect and correlate billions of events and network flows per day, in deployments that span multiple locations and connect previously siloed operational groups.
- A Fortune 100 telecommunications provider collects and monitors one million events per second – more than 85 billion events per day – to ensure security and regulatory compliance across its massive customer operations.
- A global energy company uses QRadar to ensure NERC and PCI-DSS compliance (monitoring 6 million card swipes per day) while correlating 2 billion events per day. It performs real-time analysis to determine the 25-50 priority incidents that matter each day – for a roughly 40-million-to-one data reduction ratio.
With the recent release of QRadar 7.1, there are even more ways to use QRadar in the cloud, and to manage big data security analytics. For example, Index Management enables higher performance and better use of storage, through advanced reporting and tuning capabilities. QRadar is also complemented by several recently released IBM Security products that are making cloud computing safer and more effective.
For a related perspective, I also recommend my colleague Chris Poulin‘s recent paper which discusses how an organization’s security or risk management group can use security intelligence as an internal cloud service to support groups such as firewall management, systems management and network management.
To close with another of my favorite Gretzky quotes, you miss 100 percent of the shots you don’t take! Don’t miss your chance to learn what a modern security intelligence solution can do for your business. Take the next step in our QRadar Resource Center.