IBM Security Systems IBM Security Intelligence Platform with Identity Management and Single Sign-On Franc Červan (franc.cervan@si.ibm.com) IBM CEE Security technical sales © 1 2013 IBM Corporation © 2013 IBM Corporation IBM Security Systems Nobody is immune. There is no end in sight. 2011 Sampling of Security Incidents by Attack Type, Time and Impact Attack Type Online Gaming SQL Injection Gaming URL Tampering Spear Phishing 3rd Party Software Defense Entertainment DDoS Central Govt Central Government Consumer Electronics Banking Consulting SecureID Banking Marketing Services Trojan Software National Police Gaming Internet Services Unknown Consumer Electronics IT Security IT Security Size of circle estimates relative impact of breach in terms of cost to business Entertainment Mar Gaming Central Govt State Police Apparel Telecommunic ations Defense Apr May Jun Online Services Online Gaming Financial Market Online Gaming Jul Aug Central Government Government Consulting Central Govt Internet Services Central Government Online Gaming National Police Central Central Government Government Feb Online Services Insurance Central Agriculture Government State Police Central Government Online Gaming Online Gaming Online Gaming Defense Police Defense Heavy Industry Consulting Entertainment Consumer Electronics Jan Central Government IT Security Consumer Electronics Sep Oct Nov Dec Source: IBM X-Force® Research 2011 Trend and Risk Report 5 © 2013 IBM Corporation IBM Security Systems Customer Challenges Detecting threats • Arm yourself with comprehensive security intelligence Consolidating data silos • Collect, correlate and report on data in one integrated solution Detecting insider fraud • Next-generation SIEM with identity correlation Better predicting risks to your business • Full life cycle of compliance and risk management for network and security infrastructures Addressing regulation mandates • Automated data collection and configuration audits 7 © 2013 IBM Corporation IBM Security Systems Solving Customer Challenges 8 Major Electric Utility Detecting threats • Discovered 500 hosts with “Here You Have” virus, which other solutions missed Fortune 5 Energy Company Consolidating data silos • 2 Billion logs and events per day reduced to 25 high priority offenses Branded Apparel Maker Detecting insider fraud • Trusted insider stealing and destroying key data $100B Diversified Corporation Predicting risks against your business • Automating the policy monitoring and evaluation process for configuration change in the infrastructure Industrial Distributor Addressing regulatory mandates • Real-time extensive monitoring of network activity, in addition to PCI mandates © 2013 IBM Corporation IBM Security Systems QRadar Security Intelligence Platform 10 © 2013 IBM Corporation IBM Security Systems Solutions for the Full Compliance and Security Intelligence Timeline What are the external and internal threats? 11 Are we configured to protect against these threats? What is happening right now? What was the impact? Prediction & Prevention Reaction & Remediation Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management. X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards. SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention. © 2013 IBM Corporation IBM Security Systems Fully Integrated Security Intelligence Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility 13 • Turn-key log management and reporting • SME to Enterprise • Upgradeable to enterprise SIEM • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow • Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation • Network analytics • Behavioral anomaly detection • Fully integrated in SIEM • Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments © 2013 IBM Corporation IBM Security Systems Fully Integrated Security Intelligence Log Management SIEM Configuration & Vulnerability Management Network Activity & Anomaly Detection Network and Application Visibility 14 • Turn-key log management and reporting • SME to Enterprise • Upgradeable to enterprise SIEM One Console Security • Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow • Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation • Network analytics • Behavioral anomaly detection • Fully integrated in SIEM • Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments Built on a Single Data Architecture © 2013 IBM Corporation IBM Security Systems Security Intelligence: QRadar provides in-depth security visibility IBM X-Force® Threat Information Center Identity and User Context 15 Real-time Security Threats and Prioritized ‘Offenses’ Real-time Network Visualization and Application Statistics Inbound Security Events © 2013 IBM Corporation IBM Security Systems Qradar: Clear, concise and comprehensive delivery of relevant info What was the attack? Was it successful? Who was responsible? Where do I find them? How many targets involved? How valuable are the targets to the business? Are any of them vulnerable? Where is all the evidence? 16 © 2013 IBM Corporation IBM Security Systems Major Electric Utility Detecting threats • Discovered 500 hosts with “Here You Have” virus, which other solutions missed Potential Botnet Detected? This is as far as traditional SIEM can go IRC on port 80? IBM Security QRadar QFlow detects a covert channel Irrefutable Botnet Communication Layer 7 flow data contains botnet command control instructions Application layer flow analysis can detect threats others miss 17 © 2013 IBM Corporation IBM Security Systems Fortune 5 Energy Company Consolidating data silos • 2 Billion logs and events per day reduced to 25 high priority offenses QRadar judges “magnitude” of offenses: • Credibility: A false positive or true positive? • Severity: Alarm level contrasted with target vulnerability • Relevance: Priority according to asset or network value Priorities can change over time based on situational awareness Extensive Data Sources 18 + Deep Intelligence = Exceptionally Accurate and Actionable Insight © 2013 IBM Corporation IBM Security Systems Branded Apparel Maker Detecting insider fraud • Trusted insider stealing and destroying key data Potential Data Loss Who? What? Where? Who? An internal user What? Oracle data Where? Gmail Threat detection in the post-perimeter world User anomaly detection and application level visibility are critical to identify inside threats 19 © 2013 IBM Corporation IBM Security Systems $100B Diversified Corporation Predicting risks against your business • Automating the policy monitoring and evaluation process for configuration change in the infrastructure Which assets are affected? How should I prioritize them? What are the details? Vulnerability details, ranked by risk score How do I remediate the vulnerability? Pre-exploit Security Intelligence Monitor the network for configuration and compliance risks, and prioritize them for mitigation 20 © 2013 IBM Corporation IBM Security Systems Industrial Distributor Addressing regulatory mandates • Real-time extensive monitoring of network activity, in addition to PCI mandates PCI compliance at risk? Real-time detection of possible violation Unencrypted Traffic IBM Security QRadar QFlow saw a cleartext service running on the Accounting server PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks Compliance Simplified Out-of-the-box support for major compliance and regulatory standards Automated reports, pre-defined correlation rules and dashboards 21 © 2013 IBM Corporation IBM Security Systems Security intelligence at work: SIEM in action Security Devices Security Devices Servers & Mainframes Network & Virtual Activity Data Activity Application Activity Configuration Info Vulnerability & Threat User Activity 2 Bn security records per day 25 security offenses per day •Reliable, secure and scalable log data storage •Advanced security data correlation turning data into information •Advanced and easy to use rule based security event correlation engine to extract the real security offenses 22 © 2013 IBM Corporation IBM Security Systems Threat Protection & QRadar improve your visibility and prevention Networks Servers Endpoints Applications Scanners Attacks, audits, status events and vulnerabilities from SiteProtector & IPS Security Devices Security Devices Servers & Mainframes Network & Virtual Activity Event Correlation Data Activity Application Activity Configuration Info Activity Baselining & Anomaly Detection Offense Identification Vulnerability & Threat User Activity Extensive Data Sources • • • • 23 + Deep Intelligence = Exceptionally Accurate and Actionable Insight Helps find threats other SIEMs might miss by combining Network Protection’s Protocol Analysis Module signature analysis and QRadar’s anomaly detection capabilities Enables immediate real-time threat awareness and powerful threat and offense prioritization capabilities to establish definitive evidence of attack and visibility into all attacker communications Integrates X-Force security content Outstanding coverage available within full SIEM solution or targeted Network Anomaly Detection offering © 2013 IBM Corporation IBM Security Systems zSecure & QRadar adds protection for mainframe environments System z RACF ACF2, Top Secret CICS DB2 Alerts, unauthorized log-ins, policy violations, configuration changes, etc. from zSecure Alert & zSecure Audit Security Devices Servers Servers&&Mainframes Hosts Network & Virtual Activity Event Correlation Data Activity Application Activity Configuration Info Activity Baselining & Anomaly Detection Offense Identification Vulnerability & Threat User Activity Extensive Data Sources • • • 25 • • + Deep Intelligence = Exceptionally Accurate and Actionable Insight Centralizes enterprise security view allowing identification and remediation of excess mainframe access, threats and concerns Strengthens mainframe security operations and helps improve protection for critical mainframe environment Triggers complex correlation of threats, insider fraud and business risk as easy to understand “offenses” for further investigation and follow-ups Stores event data in forensically secure database to address regulation mandates Improves compliance reporting by simplifying audit and management efforts © 2013 IBM Corporation IBM Security Systems InfoSphere Guardium & QRadar protect your most sensitive data Security Devices Servers & Mainframes Databases Data Warehouses Hadoop based systems File shares Network & Virtual Activity Event Correlation Data Activity Database Activity Application Activity Configuration Info Activity Baselining & Anomaly Detection Offense Identification Vulnerability & Threat In-depth data activity monitoring and security insights from InfoSphere Guardium User Activity Extensive Data Sources • • • • 26 + Deep Intelligence = Exceptionally Accurate and Actionable Insight Detects anomalistic behavior and malicious access to sensitive data Focuses customers on key data access events coming from InfoSphere Guardium while saving operational costs by not transmitting and storing insignificant events Provides broader, enterprise network security context for InfoSphere Guardium alerts and events helping identify advanced threats Improves compliance reporting with automated data access reports © 2013 IBM Corporation IBM Security Systems Guardium and QRadar (Data Security Integration) Guardium Database Monitoring & Vulnerability Assessment Enhanced data protection: Correlation with database activity – Collects and categorizes Guardium events for easy searching, reporting and correlation with other data • Guardium logs • Database Vulnerability • Identified Risk – Correlates database activity with QRadar network activity to detect anomalous and suspicious behavior. For example: Alert is issued when multiple failed logins to a database server are followed by a successful login and accessing of credit card tables, then followed by an FTP upload to a questionable external site. Database vulnerability sharing – Pulls database vulnerability data from Guardium into QRadar Asset Profiles to get more complete asset data for databases. 27 © 2013 IBM Corporation IBM Security Systems AppScan & QRadar improve threat detection accuracy Security Devices Servers & Mainframes Network & Virtual Activity Web applications Mobile applications Web services Desktop applications Event Correlation Data Activity Application Activity Application Activity Configuration Info Activity Baselining & Anomaly Detection Offense Identification Vulnerability & Threat Application vulnerability assessments from AppScan User Activity Extensive Data Sources • • • 28 + Deep Intelligence = Exceptionally Accurate and Actionable Insight Strengthens threat detection and offense scoring capabilities Correlates known application vulnerabilities with other real-time events and alerts to elevate meaningful offenses Enhances proactive risk management assessments by prioritizing critical application vulnerabilities © 2013 IBM Corporation IBM Security Systems AppScan and QRadar (Application Security Integration) AppScan Enterprise Web client Application vulnerability sharing AppScan Enterprise Server – QRadar imports application vulnerability data published by AppScan on a regular basis. AppScan Standard (DAST desktop client) – QRadar shows vulnerability details on Asset Profile (V7.1) AppScan Source (SAST desktop client) AppScan Enterprise Dynamic Analysis Scanners (server-based DAST) • Application Vulnerability Promoting use of vulnerability : • Identified Risk Correlation and alert – Enables QRadar to correlate network and event activity with application vulnerability, helping determine the priority (ranks) of the offenses and assess potential impact of the attack. – initiate scanning from qradar – Sends alerts to AppScan administrators 29 © 2013 IBM Corporation IBM Security Systems Endpoint Manager & QRadar tighten endpoint security Security Devices Servers & Mainframes Network & Virtual Activity Event Correlation Data Activity Servers Clients Mobile devices POS, ATM, Kiosks Application Activity Application Activity Configuration Configuration Info Info Activity Baselining & Anomaly Detection Vulnerability & Threat Threat Intelligence Endpoint intelligence data from Endpoint Manager User Activity Extensive Data Sources • • • • • 30 Offense Identification + Deep Intelligence = Exceptionally Accurate and Actionable Insight Increases vulnerability database accuracy improving offense and risk analytics to limit potential offenses Establishes baseline for endpoint states and improves alerting on variations to detect threats other SIEMs might miss Speeds remediation of discovered offenses using Endpoint Manager automation Represents AV/DLP alerts within consolidated enterprise security view helping correlate advanced threat activities Improves compliance reporting with deep endpoint state data © 2013 IBM Corporation IBM Security Systems Tivoli Endpoint Manager and QRadar (Endpoint Security Integration) Tivoli Endpoint Manager Network & Endpoint Security Combined: TEM QRadar Report Enforce Publish Evaluate – TEM forwards endpoint Fixlet (policy) status messages to QRadar for correlation. (Shipping) – TEM exports endpoint configuration and vulnerability data to QRadar to increase coverage and accuracy of QRadar asset profiles. QRadar TEM • Fixlet status • Configuration • Vulnerability – QRadar exports network asset data to TEM, allowing complete reporting on network devices. • Network asset data • Identified Risk – QRM correlates assets, vulnerabilities, configuration and network activities to identify risky endpoints and export them as a group to TEM for high priority analysis and remediation Bidirectional – Closed-loop remediation workflows: QRadar detects vulnerable systems, forwards to TEM; TEM executes remediation and sends update back to QRadar. 31 © 2013 IBM Corporation IBM Security Systems Identity & Access Management products & QRadar uncover malicious behaviors Security Devices Servers & Mainframes Network & Virtual Activity Event Correlation Data Activity Application Activity Configuration Info User log-ins Access rights Group memberships Extensive Data Sources • • • 32 Activity Baselining & Anomaly Detection Offense Identification Vulnerability & Threat Identity information and user activity from IAM products User Activity User Activity + Deep Intelligence = Exceptionally Accurate and Actionable Insight Provides ability to insert user names into reference sets used for writing searches, reports, and rules Improves ability to defend against insider threats involving privilege escalations or inappropriate data access Facilitates compliance reporting by pairing user identities with access to sensitive data © 2013 IBM Corporation IBM Security Systems IAM and QRadar (Identity Security Integration) Security Identity Manager Applications Databases Operating Systems Networks & Physical Access Identity Repository • Identity mapping data and user attributes • SIM/SAM Server logs • Application logs Identity enriched security intelligence: Technical features – Retrieves user identity data including ID mapping (from an enterprise ID to multiple application user IDs) and user attributes (groups, roles, departments, entitlements). – Queries data (events, flows, offenses, assets) relative to an enterprise user ID and mapped application user IDs – Selects user identities for easy creation of correlation rules – Reports on all the activities (using different appliance user IDs) of an enterprise user Use cases – Privileged user activity monitoring – Terminated employee access detection – Separation of duty violation detection – User account recertification – Ensuring appropriate access control setting – Backdoor access detection 33 © 2013 IBM Corporation IBM Security Systems Identity Management 40 © 2012 2013 IBM Corporation IBM Security Systems Identity Management WHO has ACCESS to WHAT and WHY?? People 42 Policy Resources © 2013 IBM Corporation IBM Security Systems The Who in Identity Management Who Users people who need access to resources. Users can be internal or external to the organization. 43 Employees Student Customers Business Partners Citizens Jane Doe’s HR information HR System Name: Jane Doe Dept: Accounting Manager: John Smith Address: 10 Main St. Tel. No: 555-1212 Bus Role: Benefits Administrator © 2013 IBM Corporation IBM Security Systems The What in Identity Management What Accounts give people access to resources. Examples of Resources: Operating Systems Databases Applications Directories UNIX: jdoe UNIX, Windows DB2, Oracle SAP, Lotus Notes Active Directory AD: janedoe The user account generally consists of: • A userid grant initial access • Password • Group or role assignments grant access/privileges 44 RACF: jd044595 © 2013 IBM Corporation IBM Security Systems How is Access granted … and Why People - who Policy Resources- what Policy defines who can access resources. Policy is made up of membership and entitlements Workflow and Approvals define the business process and ensure that the right people are given the right access. Policy Membership can be defined through Roles Business Roles – collections of users by job function Application Roles – collection of resources or entitlements. Membership - Individual vs Group Examples of group Membership: Active Directory group policies, SAP authorizations 45 © 2013 IBM Corporation IBM Security Systems IBM Security Identity Manager (ISIM) Roles / Requests 47 © 2013 IBM Corporation IBM Security Systems IBM Security Identity Manager – How it works Automates, audits, and remediates user access rights across your IT infrastructure Identity change (add/del/mod) Access policy evaluated Approvals gathered Accounts updated Cost • Self-service password reset Detect and correct local privilege settings • Automated user provisioning Accounts on 70 different types of systems managed. Plus, In-House Systems & portals Tivoli Identity Manager Applications Complexity HR Systems/ Identity Stores 48 • Reduce Cost • Simplify Complexity Databases • Consistent security policy Operating Systems • Quickly integrate new users & apps Networks & Physical Access Compliance • Know the people behind the accounts and why they have the access they do • Automate user privileges lifecycle across entire IT infrastructure • Fix non-compliant accounts • Match your workflow processes • Address Compliance • Closed-loop provisioning • Access rights audit & reports © 2013 IBM Corporation IBM Security Systems ISIM - Workflow NEW EMPLOYEE PROCESS Notification WORKFLOW Application Owner Approvers Reminder Notification John Smith Sending Request Manager Acceptance Automatic permission termination HR System HR Position Delay 51 Automatic permission grant © 2013 IBM Corporation IBM Security Systems ISIM – Role vs Request based access control Investments Publish Service Catalog Define Coarse Roles Plus Optional Access Define Role Based Access Control Model & Policies 57 Ongoing Operational Labor User Initiates Access Request Approvals Gathered Major Changes Automated, Minor Ones Requested Update to User Attribute Initiates Access Change Access Provisioned Access Auto Provisioned, Approvals for Exceptions Automatic Provisioning and Rights Verification Periodic Recertification Recertify Exceptions Only Policy Design © 2013 IBM Corporation IBM Security Systems ISIM – Compliance 1 Reconciliation 2 Recertification 3 59 Who has access to what? Identify orphan and dormant accounts – big security exposures! MATCH? R E A L I T Y Does this user still need this account or access entitlement? Establish an automated process for review and enforcement. Reporting Prove it. Show auditors who has access to what and how they got it. © 2013 IBM Corporation IBM Security Systems ISIM – Reporting Sample Operational Reports – – – – – – – 60 Orphan Accounts Report Dormant Accounts Report Recertification Change History Report Pending Recertification Report Recertification Policies Report Individual Access Report Access Report © 2013 IBM Corporation IBM Security Systems Solving the Privileged Identity Management problem requires going beyond traditional approaches: Each administrator has a User ID on every system User ID User ID Administrators share privileged User IDs User ID User ID User ID Exponential increase in privileged User IDs Risk of losing individual accountability Increased risk of mismanagement of privileged User IDs Issues with password management and security Increased User ID administration costs Out of step with regulatory thinking Requires solution to provide control, automation and accountability of privileged account access 61 © 2013 IBM Corporation IBM Security Systems Enterprise Single Sign-On 62 © 2012 2013 IBM Corporation IBM Security Systems Access Management Access to sensitive data EMR PACS Imaging Complex passwords HR Web Impossible to remember Mainframe SAP Need much quicker access Lotus Notes Java Cloud Users logging on to the same shared Windows account without logging off applications! policy/regulation violations! 63 © 2013 IBM Corporation IBM Security Systems Access Management challenges SECURITY Virtual desktops and applications accessed ubiquitously are protected by weak, shared passwords COSTS Help-desk calls due to forgotten passwords can be expensive 64 COMPLIANCE Do you know which nurse accessed which critical patient records from her virtual desktop? PRODUCTIVITY Desktop and application lockouts, slow access to applications hamper productivity © 2013 IBM Corporation IBM Security Systems What if … . . . users only needed to remember 1 password? 1 password to sign-on to Windows, Windows applications, Web applications, Java, Telnet, in-house developed and mainframe applications, . . . • With no need to modify applications • Without modifying the directory used (Active Directory, etc.) • With automatic renewal for expired passwords • With Self-service if password is forgotten (no Help Desk call) • And with quick deployment and incremental ROI (that just got quicker!) In fact, what if we simplified user access with single password access, while strengthening security, saving costs and improving your compliance posture? 65 © 2013 IBM Corporation IBM Security Systems IBM Security Access Manager for Single Sign-On (ISAM ESSO) - Access Management solution STRENGTHEN SECURITY Strong passwords Strong Authentication REDUCE COSTS Fewer helpdesk calls Save up to $25 per call! 66 DEMONSTRATE COMPLIANCE Fine-gained audit logs Session Management INCREASE PRODUCTIVITY No Account Lockouts Fast access to information © 2013 IBM Corporation IBM Security Systems ISAM ESSO - Overview Single sign-on Supports strong authentication Kiosk sharing Password self service Web-based administration Browser-based remote access User access tracking & audit No change to the infrastructure TAM E-SSO enables visibility into user activity, control over access to business assets, and automation of the sign-on process in order to drive value for our clients. 67 © 2013 IBM Corporation IBM Security Systems ISAM ESSO - Architecture 68 © 2013 IBM Corporation IBM Security Systems ISAM ESSO – Access Studio Profiling templates for applications – Windows – Java – Terminal – Mainfrafe (cursor-based, HLLAPI) Wizard – Sign On – Sign Off – Password Change Advanced profiles Ability to test profiles Simple and quick implementation Automatic profiles for: – Windows Explorer, Internet Explorer – Web based applications – GINA, RDP 70 © 2013 IBM Corporation IBM Security Systems ISAM ESSO – Audit and Tracking End user activity tracking Configuration change Corporation application access tracking Own events tracking Sample audit data – Sign On/Sign Off – Password Change – 2FA – Offline access Integration with external reporting tools 74 © 2013 IBM Corporation IBM Security Systems ISAM ESSO – 2FA Support for: – Passive RFID (Mifare, HID iClass) – Active RFID (Xyloc) – Tokens (Vasco, Authenex) – USB Key (DigiSafe, Charismathics) – MobileAccessCode • SMS • E-mail – Sonar – Biometrics (UPEK, DigitalPersona) Support for : – Sign On to system – Sign On to application – Sign Off ACTIVE RFID TOKENS USB Key E-MAIL SMS SONAR BIOMETRIC 75 © 2013 IBM Corporation IBM Security Systems ISAM ESSO – ISIM Integration Logins and passwords generated by ISIM are pushed to SAMESSO End User Wallet automaticaly updated during password change Blocking wallet for End User from ISIM interface Support for ISIM 4.6, 5.0, 5.1, 5.2 78 © 2013 IBM Corporation IBM Security Systems ibm.com/security © Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will 2013 IBM Corporation 80 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT © WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.