The document is a presentation by Ahmed El Nahas from IBM about IBM's security intelligence products and services. It discusses challenges customers face around making sense of large amounts of security data, the need for integration and automation. It provides examples of how IBM security intelligence solutions can help detect threats across the network, identify vulnerabilities and risk of data loss. Analytics and visualization tools are demonstrated to provide clear evidence and answers to common security questions.

1. © 2013 IBM Corporation
IBM Security Systems
Page: 1 © 2012 IBM Corporation
IBM Security Systems
Security Intelligence
Speaker Name: AHMED EL NAHAS
Role: Technical Lead Security Intelligence - MEA
Email: AHMEDN@AE.IBM.COM
Date: 19-4-2013

2. © 2013 IBM Corporation
IBM Security Systems
Page: 2
Total Visibility: Product Portfolio, Services and Research

3. © 2013 IBM Corporation
IBM Security Systems
Page: 3
Agenda
Speaker Topic
AHMED ELNAHAS
Information a Double Edged Sword
WHY MEDIA? WHY NOW?
Customer Challenges
IBM Security Intelligence
Use Cases
Questions

4. © 2013 IBM Corporation
IBM Security Systems
Page: 4
INFORMATION IS POWER
Media Perspective Security Perspective

5. © 2013 IBM Corporation
IBM Security Systems
Page: 5
WHY MEDIA? WHY NOW?
News Room has been communicating information back to other
web servers that were traced to other Countries since 2008
Media News has been hit by Distributed Denial of Services Attacks
to put their system into halt
Media News has been hit by attacks to deface their Web Sites
Internal employee to work with Hack Groups to deface website of
a major News
Media News Blogs were hacked and false information were posted

6. © 2013 IBM Corporation
IBM Security Systems
Page: 6
What is going on here?

7. © 2013 IBM Corporation
IBM Security Systems
Page: 7
Initial Attack to Initial
Compromise
10% 12% 2% 0% 1% 0%
Initial Compromise to
Data Exfiltration
8%
38%
14%
25%
8% 8%
0%
Initial Compromise to
Discovery
0% 0% 2%
13%
29%
54%+
2%
Discovery to
Containment /
Restoration
0% 1%
9%
32%
38%
17%
4%
Seconds Minutes Hours Days Weeks Months Years
75%
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-
SMB_Z_ZZ_ZZ_Z_TV_N_Z038

8. © 2013 IBM Corporation
IBM Security Systems
Page: 8
Example
Small Network Generates 1000 EPS - Let put this is context
• 1000 x 60 x 60 x 24 = 86,400000 EPD
• Let assume an incident will occur 1/100000
• We are talking about 864 Incidents per day

9. © 2013 IBM Corporation
IBM Security Systems
Page: 9
CUSTOMER
CHALLENGES
Customer Challenges
MAKING SENSE
OF DATA
Operational
Efficiency
INTEGRATION
Complexity
Ease of Use
SCALABILITY
Automation

10. © 2013 IBM Corporation
IBM Security Systems
Page: 10
Integrated Console
• Single browser-based UI
• Role-based access to
information & functions
• Customizable dashboards
(work spaces) per user
• Real-time & historical
visibility and reporting
• Advanced data mining and drill down
• Easy to use rules engine with out-of-the-box security
intelligence

11. © 2013 IBM Corporation
IBM Security Systems
Page: 11
Fully Integrated Security Intelligence
• Integrated log, threat, risk & compliance
mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
SIEM
Collection of log events from network and
security infrastructure

12. © 2013 IBM Corporation
IBM Security Systems
Page: 12
Total Security Intelligence
Suspected
Incidents

13. © 2013 IBM Corporation
IBM Security Systems
Page: 13
Total Security Intelligence

14. © 2013 IBM Corporation
IBM Security Systems
Page: 14
Analyze
Act
Monitor
Auto-discovery of log
sources, applications
and assets
Asset auto-grouping
Centralized log mgmt
Auto-tuning
Auto-detect threats
Thousands of pre-defined rules
and role based reports
Easy-to-use event filtering
Advanced security analytics
Asset-based prioritization
Auto-update of threats
Auto-response

15. © 2013 IBM Corporation
IBM Security Systems
Page: 15

16. © 2013 IBM Corporation
IBM Security Systems
Page: 16
What was
the attack?
Who was
responsible?
How many
targets
involved?
Was it
successful?
Where do I
find them?
Are any of them
vulnerable?
How valuable
are the targets to
the business?
Where is all
the evidence?
Clear, concise and comprehensive delivery of relevant
information:

17. © 2013 IBM Corporation
IBM Security Systems
Page: 17
Complex Threat Detection
Sounds Nasty…
But how do we know this?
The evidence is a single click
away.
Buffer Overflow
Exploit attempt seen by
Snort
Network Scan
Detected by QFlow
Targeted Host Vulnerable
Detected by Nessus
Total Security Intelligence
Convergence of Network, Event and Vulnerability data

18. © 2013 IBM Corporation
IBM Security Systems
Page: 18
Potential Data Loss?
Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail

19. © 2013 IBM Corporation
IBM Security Systems
Page: 19
User Activity Monitoring
Authentication Failures
Perhaps a user who forgot his/her
password?
Brute Force Password
Attack
Numerous failed login attempts
against different user accounts
Host Compromised
All this followed by a successful
login.
Automatically detected, no custom
tuning required.

20. © 2013 IBM Corporation
IBM Security Systems
Page: 22
Fully Integrated Security Intelligence
• Integrated log, threat, risk & compliance
mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
SIEM
Collection of log events from network and
security infrastructure

21. © 2013 IBM Corporation
IBM Security Systems
Page: 23 © 2012 IBM Corporation
IBM Security Systems
Thank You

22. © 2013 IBM Corporation
IBM Security Systems
Page: 24
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational
purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages
arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the
effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the
applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services
do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in
these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to
be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are
trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product,
or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection
and response to improper access from within and outside your enterprise. Improper access can result in information being altered,
destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product
should be considered completely secure and no single product or security measure can be completely effective in preventing improper
access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve
additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.