вход по аккаунту

код для вставкиСкачать
Pulse 2012 theme keynote: Security and compliance
Brendan Hannigan, General Manager IBM Security Systems, and Sandy Bird,
CTO IBM Security Systems
Episode date: 03-06-2012
ANNOUNCER: Ladies and gentlemen, please welcome General Manager IBM
Security Systems Division, Brendan Hannigan and Chief Technology
Officer IBM Security Systems Division, Sandy Bird.
HANNIGAN: Thank you very much. And thank you for your attendance at
Pulse. We're looking forward today, as all security people do when
they get up, we're going to scare the living daylights out of you.
And our sales team will be at the end of the room to look for
appeals. [ LAUGHTER ]
No, what I hope to do, actually, everybody is very familiar with the
problems of security. And everybody has been reading a lot about it,
especially in the last few months. So what I would hope to do today
is just to give you a sense of what has changed in our world and in
your world... Because of course, security is always this to and fro
between you having protections, then the bad actors gaining new
mechanisms to attack your environment.
And then, the pendulum swings back and forth. And that's not new to
digital security; that's just security. What I want to give you is
some perspective on why it's more significant right now. We stay at a
pretty high level. Then, we'll talk about what IBM is going to IBM hopes to help you with that. And then we're going to
drill right in and let Sandy give you a sense of some of the really
bad stuff that's been happening; but more importantly, what can be
done to help stop it. So to kick it off, here's what I's
what myself and Sandy hope that you will take away from today.
Firstly, the power of intelligence and analytics as applied to
security. This is a major and significant trend in our industry. We
believe that this is a significant new capability that enterprises
can deploy to help you address the security challenges you face and
to get on the offensive, in terms of protecting your environments.
The other thing is applying those intelligence and adding that
automation and instrumentation across your entire environment -- not
just looking at the point products, not just looking at the latest
hot technology; looking at everything.
And lastly, I hope you get a sense that the IBM company has really
listened to you as it relates to security; has made a huge investment
in the creation of a security division, which as of January 1 has
2,000 people dedicated to the task of the CISOs and the CIOs and your
job of securing your enterprise. And that's the first time that that
has happened. We have great technologies at IBM, but now we have a
whole organization set up to help you secure your environments.
Let's link it to today and what's been going on at Pulse. It is
unbelievable. I guess IBM has been spiking my drinks because I'm in
the Kool-Aid. I am drinking the Kool-Aid around the Smarter Planet,
Smarter Commerce, Smarter Cities and everything you have to see. And
everywhere you hear, you hear something else. Who would have thought
that a tennis organization would have at its foundation cloud
analytics and automation? The City of Madrid uses analytics as the
basis for its emergency response system at the core of that.
We have a famous deployment at IBM in Rio de Janeiro where 20
different departments are wholly reliant upon IBM technology to bring
data in and master and control their operations. A customer of ours
at SEPA Energy has deployed millions of smart meters across Southern
California. Just think about it. Smart meters, which improve the
efficiencies of metering, automation of their business.
They're meshed together, they're IP network controlled and actually,
a lot of smart meters today have a chip in them so that they can
actually control your appliances in your house. So if those anonymous
hackers ever get control of that network and your TV turns on late at
night you know that they're really getting close to you. [ LAUGHTER ]
But I mean, what it really speaks to is what we spoke about earlier
this morning. We're not just automating back office processes; entire
businesses are being transformed, our technology is right at the
heart of that. Instrumentation of all aspects of technology,
interconnection of every single piece of it and then applying
intelligence on top of it. And so, if something goes wrong under some
security concern it has an impact on the business. The other thing,
when you look at how businesses are relying upon that, the other
aspect of that is that...I'm getting distracted because our slides
aren't up there. I'm not sure why.
The other aspect of that is that as we look at where attackers are
coming at us, take your regional town or something like that.
Attackers go where the money is. Right? You want to get money, you go
rob a bank. If you're in my town, you would spend most of your time
trying to find a bank. And you've backed up the truck, you wouldn't
find any money. The money is in the digital aspects of our
corporations. And these attackers are becoming incredibly
sophisticated, and that sophistication can be a targeting use
specifically, and that is a big change. It's not about searching
randomly for vulnerabilities that exist in software and happening to
find one in your organization.
It's actually targeting your company because they want your assets,
finding out who your executives are, finding out who their
administrative assistants are, targeting them with an email. They
click on it, something gets installed in the computer, they're in,
they're searching around your organization. The other thing is we
have a big customer of ours, a spectacular customer in the food
industry. An older industry -- it's not like a leading edge in
security like the banking industry.
And in that food industry, they wouldn't worry that much about
digital security; they'd worry about hackers or activists chaining
themselves to fences or chaining themselves to their trucks because
they don't like how their building fertilizer or whatever. Now
they're really, really worried. And they're really worried because
they're worried about these activists coming in and fundamentally
changing their...altering how their business is operating. So those
are the two fundamental changes between the normal to and fro in
In the digital world, the people who are trying to do bad to us are
much more sophisticated. And our companies, the business models our
companies rely upon, the innovation that Danny spoke about, that is
transforming business, and at the heart of that business is the
digital assets that we have to secure. And unfortunately for you and
all of us in the room, despite all of that, -- those are the two
things, but despite all of that, you still must operate in a world
where you have to support the basis of that innovation.
Secure infrastructure from the cloud, secure applications running
from the cloud -- they might be security applications or they may be
other applications -- this is a foundation for the future of
innovation and it's creating huge challenges for you that you don't
even control. The other thing you have to look at is not just
mobility -- we talked a lot about mobility -- in the area of
security, we actually really talk about the consumerization of IT.
Why is that? It's not so much that we bring our BlackBerries into
work. I actually am one of the few who still does.
It's that the nature of how we use our product has changed and
consumers are intimately using both their laptops and their
endpoints, sharing information, uploading information, doing things
and now your assets are on that same piece of information.
We had a customer of ours and their executive assistant of a managing
partner of a hedge fund, a very successful hedge fund, was innocently
using technology on her laptop to automate and manage her contacts
with an online site. And then all of a sudden she decided to upload
her content, and what happened? She was uploading all of her boss'
content: the mobile phones of presidents, senators, and all the
managing partners on Wall Street. I'm sure Occupy Wall Street would
have loved to have had a hold of that information. That's what the
consumerization of IT is. It's not just about the mobile device; it's
about the nature of how they're being used.
And the last thing, of course, the challenge you face is just the
monstrous explosion of data as the result of the automation that's
happening in our environments and the business. Great stats,
actually. In the last two years, more content has been generated than
the last...than forever, within the last two years on the Internet.
Every 60 days we generate more content on YouTube than was generated
in the previous 60 years by the network channels. And you know what's
happening in your companies; and actually, we know what's happening
in the security world. We've got a big oil customer of ours and two
billion pieces of information a day coming in for analysis, in terms
of security instrumentation -- two billion pieces of information from
across that large oil company. But it's not just large oil companies.
We've got a customer with a couple of thousand employees and a couple
of people in the IT department; they get millions of events a day.
What do you do with that information? It's unbelievable. This poor
man has gone bald and gray looking for his...whatever it is he's
looking for on those discs. [ LAUGHTER ]
But here's the result. And you know, we don't do it to say, oh, you
should get scared, because everybody knows the reality of what's
happening out there. There's challenges in our infrastructure and the
vendors of security products haven't been able to solve these and
keep up as quickly as they should to help protect our environments.
So what this slide represents are some of the challenges that
happened last year and the significance of the challenge. And what is
significant just ties back to everything we've been talking about in
terms of the Smarter Planet. These breaches fundamentally impacted
the businesses and how they operate.
Sony corporation -- this wasn't a convenience; this was an absolute
horror for their business. And that is true for nearly every single
one of these breaches. And that is what's changed. The great thing,
the spectacular innovation is occurring; the challenge is, when
something goes wrong it has a spectacular impact on the functioning
of the business.
What are you feeling, then? And what are we seeing? And what is the
IBM corporation seeing? Is obviously, a few years ago, could you even
imagine having a conversation about security with your CEO or with
your board? I was speaking with somebody yesterday; they report every
two weeks to the audit committee of their company about their
security posture and what's happening. When something goes wrong or
there's some kind of a breach, they have to go to their audit
committee, which is part of the board of a huge major corporation and
explain it. They're trying to explain what an SQL injection attack
and why it can happen and where it can happen. And they're explaining
to their board members, because guess what? It's that important. And
actually, in the case of IBM corporation, IBM was listening to our
customers and our CIOs and the CEOs of companies all over the world.
Those companies were saying, we need some help here. We need help, we
need help to get control of this problem at the level of the CEO and
CIO. Please don't tell me we've got a next generation firewall;
please tell me you have to solve my security problem in its entirety.
So now I'm going to spend a few minutes talking about what our
strategy is and how we hope to help you, our clients and customers,
over the next few years. First and foremost, built into our mind when
we look at security and the challenges in the security industry is
the simple realization that yes, there are wonderful technologies
which can help you in particular situations with particular
problems... But unfortunately, there's so many technologies from so
many different vendors which are horribly complex. This is one of the
biggest challenges of security.
And Danny alluded to this, as well: the shiny toy is great, but it is
not a replacement for something much more holistic, much more
substantial that spans all aspects of your security domain. Customers
are struggling mightily with this problem. And we go to the RSA
Conference every year, which was just last week in California. And
I'm sure many of the security practitioners here were there, also.
The challenge with the security conference is when you walk in the
trade floor -- and I've been in this business for 25 years -- and I
walk around and I talk to various different companies, and I walk off
the trade floor and I'm confused.
There's too many overlapping technologies from too many different
vendors. And while a technologist may be able to get control over one
aspect of one technology for one problem on one part of your network
for a specific type of application or whatever, the reality is when
you go and try and represent that value to your CISO they haven't got
a clue what you're talking about. When the CISO tries to talk to the
CIO or the CEO, it makes absolutely no sense. This is a morass of
What IBM has done is first and foremost, we have organized around
security. We have taken all the various key components of security
within the IBM company and put it under the umbrella of a security
division. There's one thing, which was key to that as well, which is
the belief that analytics really can help shift a pendulum in your
favor in the area of security, because when you look at the
complexity on the previous slide, one of the challenges is that
people who will target our network will go after those gaps between
the various different infrastructures, the various different silos
within our companies. By taking analytics and gathering information
from every four corners of your enterprise, which you can do; looking
at every single communication across your network, which you can do
but many of you don't; looking at every single access to a database,
which you can do... And aggregate that monstrous amount of data,
which of course you would think, that's an overwhelming amount of
data, which it is, but we can apply analytics to it to drive value to
get a good understanding of your security posture and understand how
and where you fit to detect problems, help with compliance
So IBM late last year purchased Q1 Labs. I was the CEO of Q1 Labs,
Sandy was the CTO of Q1 Labs. And I was, that's the anchor. It's not
a division, but in anchor of our division. What a wonderful way to
integrate products across all of these different domains. The other
thing is IBM has looked at this framework, and this is really a
framework of all the key technologies that are important for securing
our enterprises. This framework includes people, understanding
identities of who's on your infrastructure; understanding how to
secure data, where it is, who's getting at it; understanding
applications and if they're secure; and finally, of course, securing
the infrastructure itself, brought together with an anchor of
security intelligence.
Ultimately what I ask and what I think we should all do is to really
start looking at security across this comprehensive set of
capabilities -- not just whether it's from IBM or not; it's just
looking at securities holistically. We happen to have organized and
decided and committed that we are going to be best in class in each
of these domains, and we are going to build beautiful integrations
between these products. And then we're going to leverage the power of
IBM in services and managed services and professional services and
consulting to help clients who need the help and don't have the
skills to put this together.
We actually have, in terms of products, this is our favorite gorpy
slide, but it's a great slide. In each of these domains we have
leading-edge products in identity and access management, database
security monitoring, application security. And some of these
products, really while the heat and the excitement can be around the
next generation firewall or the next version of malware detection, I
was out with a bank recently and they basically said that the
application scanning capability which they deployed was "the" most
important security technology they have ever deployed, period...
Because it fundamentally altered the security of the in-house
developed applications by ensuring that before they go on the network
they are secure, they don't have cross-site scripting
vulnerabilities, they don't have SQL injection problems. What we will
also do, and core to this, as we spoke, is integrating intelligence;
bringing intelligence from all of these capabilities.
And a commitment to you that we will do it across different vendors,
also. In fact, in our case, with the Q Radar product family, hundreds
and hundreds of applications, networks, identity, active directories,
if it moves and it's got relevance to security, IBM will bring that
data into our security intelligence platform. We will run analytics
from that and we will deliver value to you.
That is what we do and that is critical, we believe, to future
understanding, whether those environments are in the cloud, in a
private cloud or in your own network.
The other thing that we will do is leverage powerful capabilities
that IBM has around threat intelligence on the Internet. One of the
great surprises of what happens within IBM, what I learned from
coming here which some people knew but now is part of a division we
can fully leverage, is IBM has one of the biggest URL databases in
the world. Not to track and help you search through URLs, but to
understand the reputation of those sites, to understand if there's
botnets associated with those URLs or those websites.
IBM has actually has that database. We have other great information
about the threats associated about what's happening on the Internet
bringing incredible context, which we will flood into all of our
products. And actually, that's going to happen in Q2. Incredible
intelligence across all of your enterprise. Incredible intelligence
across the Internet, linking them together to give you context about
what's happening in your own environment. And then lastly, of course,
is bringing products together, from IBM and from other companies,
simple integrations that will basically deliver value and actually,
ultimately automate it. We talked about controlling earlier, having
those control points, having the instrumentation, having the data.
Danny spoke about it eloquently.
Also you can take action on that data and create these linkages. If
we see that there's a problem by scanning an application, we can
automatically patch that by basically putting that rule into an
intrusion prevention product or into a threat prevention product.
That is what we will do. That is what we do do.
We can also leverage intelligence so that we can increase the
intelligence of our authentication and access management capabilities
if we see unusual activities that have been occurring out on the
Internet. And of course, that wealth of information from security
intelligence, we will leverage that across all of our products.
Finally, just a couple of things before I hand it to Sandy. IBM has
unmatched expertise that spans the globe; we will bring that to bear
for you. Data centers on all of the continents, billions of events
being managed every day. That information is an incredible wealth of
information which we will package up and deliver into our products.
So now what I'd like to do is I'm going to hand it to Sandy, to let's
get a little bit granular. And Sandy has the unique challenge of
being able to do this in a way that you can explain it to the board
about what has been happening and how some of what I've been talking
about will help you.
BIRD: Thank you, Brendan.
So what we're going to do today is we're going to drill down into a
couple of attacks that have happened over the last 12 months. Now, we
work for IBM, so legal has told us we're not allowed to tell you who
these people are. However, if you looked at Brendan's bubble chart
earlier with all of the different companies, they absolutely appear
on that chart and I'm sure your Google searching skills are as good
as mine and you can drill down and figure out who they actually are.
So we're going to kind of walk through this. We're going to take you
through two specific attacks.
But before we do that, we're just going to talk a little bit about
how the world has change. Brendan did a good job of this. Back in
1995, when I kind of started my security career and I would have to
clean up a breached system of some form, we would literally talk to
the attacker over IRC -- and for the people of this era, that's
probably Instant Messenger for most of you. And we would interact
with them. That was a time that was very different. The Internet was
young. Now what's happened is that as time has progressed it has
become like all other types of security where crimes started to
actually start this. So if you look up at the top corner there, the
types of attacks that a lot of these are occurring are basically
financially motivated. You get those lovely pop-ups in your browser
and basically it says hey, if you pay me $29 I'll take these away.
People do that.
Well, that was happening a lot in 2005. And those particular attacks
used a lot of off the shelf tools, a lot of custom malware that was
written maybe by criminal organizations. But in 2011, 2010 kind of
started this, all of a sudden attacks went from being very broad,
trying to target as many people as they could so they could make
money to being very, very targeted to look at those very specific
intellectual property things that Brendan was talking about earlier
to steal those from your companies.
Or in some scenarios, they just wanted to damage your reputation. And
that's really where the "hacktivists" came in. Now what's interesting
is if you look at these two boxes here on the righthand side, a lot
of the "hacktivist" type groups are using things that are off the
shelf tools. These are basically things that I can go download on the
Internet for $ and launch a denial of service attack against you. I
can buy a botnet to basically hurt your organization today. And it's
not expensive; it's actually very cheap for me to do that. But in
those scenarios, companies with very good security actually have ways
to protect them. And as we go through one of these examples you'll
see that. But when the attacks become very targeted to your
organization from somebody that really wants your data, we start to
talk about things that we call advanced persistent threats...where
it's not off the shelf tools anymore; it's custom malware they're
writing specifically for you against your organization that none of
your security mechanisms will help you protect against. So we're
going to walk through these.
We'll spend a little bit more time on the advanced persistent threat.
The thing about this is that the piece of malware these people will
write to put inside of your organization, they will actually start to
write this months and months before. They'll do research. They'll
find out what types of things that you use in your organization.
They'll actually take and register all the domains that you're going
to use for command and control channels to get data out of your
organization later months in advance of these attacks. But they won't
place them in anywhere where anyone finds them, so your classic antivirus vendors, whoever they happen to be, aren't going to ever see
these pieces of malware before, so the signature-based types of
detection aren't going to work. And when they do get into your
organization, so now they become very persistent. They are going to
create multiple ways to get that data out. And they are going to try
to hide them from you as best they can. The other thing is that these
particular threats against your organization will be well researched.
They're going to know who to send that classic phishing email to.
They're going to know exactly who you do business with and who your
business partners are. And because of that, it will be very specific
and it will look like any other person that you do business with
sending you an email with some attachment in it or causing you to go
somewhere from the Web where you didn't think you would go. But it is
If you read the X-Force Threat Report, which I encourage everyone to
do, they actually say when you're dealing with an advanced persistent
threat you should treat this a little bit differently than the
classic kind of breach of a system. We all want to pull the Ethernet
cable out of the wire when that happens. We detect the system has a
breach. Oh, no, pull the Ethernet cable out. The problem is if you
think about these attackers, they've spent six months trying to get
into your organization and they've done lots of research. When you
pull that cord and cut them off, they are going to immediately start
looking for the next way in. But if you have good defenses and levels
of defenses, chances are in that initial breach they've only breached
one level of access. Maybe they have user-level access on a system or
something like that. So you may be better off to watch them a little
bit, call in the FBI. You have other protection mechanisms, maybe you
want to firm those up.
But you want to treat this very differently because it's targeted at
you. So when we take a look at this, the reason they target and are
so good at it now is we've given them almost all of the information
they need. So if you were to go to the Q1 Labs website you would see
that Brendan was the CEO of that, you would see that Sandy was the
CTO, Tom's sitting down here in the front somewhere.
And then you would go to LinkedIn and you would say, oh, look, Tom
works there. Look at all the people he's communicating with from a
marketing organization in this. And maybe that's the marketing firm
he uses. So if I wanted to craft an email to Tom, I might say hey,
Tom, you know what? Look at this particular marketing campaign that
I'm putting together for you. It would look pretty legitimate. Tom
would open the PDF or Word document or Excel document or whatever it
is. And that might be the entry point for that piece of malware that
the anti-virus couldn't detect because it was a zero-day exploit. And
all of this information is out there for these attackers to use, so
it makes it very easy for them to do this. So let's take a look at
two attacks. The first attack that we're going to look at was an
attack that should have never ever happened. This was a security
Very, very well-known techniques of protecting your network should
have stopped this attack, but in this case they were not prepared. So
the first thing that happened in this particular attack was there was
an SQL injection basically against their content management system.
So we all go to websites all the time, there's lots of different
content on those websites. Those are usually run by some content
management system in the back end where people can upload the things
about their company and their case studies or whatever they want. And
this particular company used one from a marketing team that had an
SQL vulnerability in it. And through this, they were able to actually
get into the system and grab the password file off of there.
Now, as we all know, the password files are hashed and encrypted and
stuff, so you shouldn't be able to easily tell what the passwords
are. Unfortunately, in this case, this particular CMS system didn't
salt the passwords properly and they were very easily cracked using
standard mechanisms anybody could use. And because they actually
breached the passwords, they were then able to actually log into a
Linux-based system somewhere else in the network.
Okay, well, I now have user level access to that Linux system, but I
probably don't have that much information. But unfortunately the same
company didn't patch that Linux system -- so, they weren't using
standard patch management -- and because of that they were able to
get access to a root-level account, which gave them full privileges.
On top of that, the same passwords that were used in the CMS system
were used on public websites, as well. And because of those public
websites, they were able to access things like Gmail accounts for the
executives of this company.
And from there, now that I have access to the guy's Gmail account, I
can now send an email back to, as an example, the firewall
administrator and server administrator and say, using a very wellcrafted email since I now have the history of all their email, hey,
Joe. I can't remember the password on that server. The old password
was this one -- which somebody stored in their email and shouldn't
have -- can you send me the new one? And because of that, they were
able to basically compromise the website, and from there deface it.
This attack, again, would have been considered advanced persistent
threat, but there was really no reason for it in this particular
The SQL injection could have been stopped very easily by an IPS
product similar to the intrusion prevention products that we have at
IBM. And had they actually been doing dynamic scanning of their
outside web applications.... Again, they got this from some other
vendor, right? It came from their marketing department. You should
still test those for vulnerabilities.
So had they just done that it, would have stopped the initial part of
the attack. But it doesn't stop there. That poor password hashing we
talked about that that vendor was using, again, if you were doing VA
scans with an authenticated VA scan to that system, most of those
systems will actually run very quick checks against those to see if
any simple passwords were in there that could be easily cracked. It
would have been found.
Going beyond that, you may have this privilege escalation. Again,
patch management solutions like the Tivoli Endpoint Manager can
basically deal with that. We could be patching those systems. And as
we move on you can see it continues. This is the one, though, that
you really want to start thinking about with your employees. Right?
You shouldn't be using the same passwords on the corporate entities
as you are on the public-facing entities like Facebook and Gmail and
these types of things. And it's one of the key things.
User education would have also helped in this scenario. So it was a
simple attack. And I'm sure everyone out there is feeling very
comfortable, saying, I do all of those things, every day. We don't
have any of those problems in my organization, so this isn't a
problem. The thing is, when we go to the next particular case of
attack and we look at this one, this company had good security. They
had all the things in place where you have anti-virus and you have
intrusion prevention and you have all the things that you would
classically put in any enterprise.
But the attackers were persistent. When we looked at the malware, the
researchers looked at the malware that affected this particular
organization, they discovered it was compiled over six months before
the attack. So again, there was some thought put into this. If we
looked at the main registries for the command and control channels
they used to basically remove the data from the organization, they
were registered months and months before. We also noticed in looking
at other attacks -- not against this company -- they used similar
domains, meaning, whoever was doing this was smart enough not to just
attack this company; they attacked other very high-profile companies
as well. So the attackers created this piece of malware but they
couldn't get into the original network of the company they wanted to.
So they went after their business partners.
Again, we have great websites. All of our business partners are
listed there. Hey, these are our critical partners. Guess where I go
after if I want to get into your organization? I go after one of
those, because that gives me a trusted communication back into your
organization. And in this case, these people actually used the antivirus vendor that also supplied them with their unzip technology. So
it was a small vendor. They had a whole bunch of different types of
applications. They had some anti-virus,'s not WinZip but
unzip technology like WinZip. They basically compromised that thirdparty company, and they basically set it up so that when the company
they were targeting downloaded this piece of code, this unzip code,
they would get the malware infected version. But when all of the
other customers of the third-party vendor got their version of the
unzip it would not be infected.
Again, they didn't want the anti-virus vendors and the threat
researchers to see this piece of malware before its time, so they
made sure that it didn't get out into the wild. From that, using very
good security processes, the company actually auto-updated the Trojan
into their company. It's very different now all of a sudden. You
thought you were doing the right thing; you were patching your
systems. This is a good security practice, and all of a sudden this
piece of malware ends up in your organization. And from that over 60
machines ended up with this piece of malware on it. Now, with this
particular case, again, we've got user-level accounts on some
systems. It doesn't necessarily give us the crown jewels at that
point, so we need to start looking for it.
It actually took about eight days before they actually managed to do
enough reconnaissance in their network where they could figure out
where the key data was stored for the accounts they needed to get at
and extract that and send it out. But at the end of this they stole
35 million records from this company -- massive damage.
And at that point, you should be a little bit scared, as we talked
about a little bit earlier. Right? This is something that they wanted
in very specifically. That said, there are lots of different things
in here that could have helped this particular company. You should
look at your business partners' security. I know it's something we
don't think about very often.
People, if you look at the credit card industry, are obviously trying
to push compliance to companies to say, you have to have a minimum
level of security for us to do business with you. You need to look at
that in your own companies, as well. What are you doing in terms of
your business partners' security? On top of that, the attack got in,
the piece of malware that was in our organization. But at some point
in time you have to start to look for the data. Right? You've got to
actually figure out where the databases are in your organization.
You've got to figure out who the people are. You've got to figure out
where the systems are.
There are many, many security technologies that will look for
reconnaissance detection. The Q1 Labs product started doing this 10
years ago and found all kinds of interesting things inside of
people's organizations by detecting that this system -- which has
never done any sort of probing in your network before -- is all of a
sudden starting to look for systems and things. What's it doing?
People have heard of honey pots before; places in your organization
to find these types of things. That would have given them an
indicator to at least maybe limit the scope of the attack.
That would have been the good time to call the FBI and shore up your
resources around other protection mechanisms. On top of that though,
the system actually created a command and control. It had to get the
data out of the organization; having it in the organization was no
good. So because of that, had they had some anomaly detection looking
at the behavior of those systems, they would have discovered that
hey, there's a bunch of command, or a bunch of different
communications leaving the network that these systems have never done
before. And had they had some database monitoring technologies, maybe
the person would have been able to query the records, but maybe the
actual important data would have been masked. Right?
So using things like the Guardian Technology, you can do that. So
again, hindsight is always 20/20, but again, think about these
security practices as you move forward. Right? You need a security
intelligence solution that's bringing all of this data together so
you can see what's going on in your network, gain that visibility to
help you respond these types of advanced persistent threats.
So with that, Brendan, I will hand it back to you, and hopefully we
didn't scare anyone too much.
HANNIGAN: So as Sandy talked about, you can see the sophistication of the
attacks and how traditional techniques, for many of the high-profile
attacks, in fact would have helped. But what our customers are
struggling with, in many cases, is the complexity of putting all of
that together and hence, we end up with these holes that would be....
You know, normally, in best practices, you would say, how did they
end up in that situation?
Well, the reality is good companies with decent practices are ending
up in bad situations. What we need to do is make sure we're improving
our best practices and ultimately re-looking at all of our security
across all our different domains.
So to summarize what Sandy looked at, when it looks like
advanced...or the sophistication of attacks, one of the key
capabilities which we have to bring to bear and we think should be
brought to bear is security intelligence that spans all aspects of
your organization, linking together all the different products,
running analytics on it to see what's happening. That of course is
not the only piece. The other piece of it as well is bringing
intelligence in from the Internet to be able to understand what's
happening externally.
And then lastly of course, linking it with your threat protection
products themselves so that you're actually able to stop things from
happening in the first place. The types of threats which can be
detected would in fact, because of an unusual upload to an unusual
website, would in fact be that executive assistant uploading key
intellectual property and the phone numbers of presidents and
senators. That was detected through anomaly detection. It would also
detect an employee planning a business, sending out proprietary
designs over a number of weeks late at night to their Gmail account.
Who gets worried about that?
The consumerization of technology has allowed that to become easy;
rich collection of data and analytics will stop that from happening.
It will also stop a botnet installed under financial revenue
recognition analyst of a software company communicating information - whatever information is under financial revenue recognition analyst
of a public company -- to some undesirable geography. It will stop
that, too.
So what we're looking at and what we hope to help you do is look at
all the spectrum in the full cycle when we want to help you with
attack sophistication.
What about cloud? It's exactly the same story. Cloud is this very,
very positive, spectacular innovation which we have heard about from
Danny and from Robert. Incredible, in terms of what it will enable us
to do. We, of course, must understand, are we talking about private
clouds; are we talking about security from the cloud; are we talking
about public cloud -- when we talk about security. And of course the
answer is all of the above. We must have a security infrastructure
that spans the physical, the virtual and the cloud world, and you
must be able to monitor and provide security capabilities that span
each of those. And we believe that ultimately with the portfolio and
framework that IBM is putting together around identity, around web
application scanning, virtualization, the security of virtualized
environments, network security, access management, database
management, these are all very, very relevant as we move to the
cloud. We will help you audit your cloud environments, we will help
you secure access to your cloud environments, with identity
management solutions that span the existing world that you are
familiar with, but federated to also support your cloud security
environments. You can't have security for the cloud and security for
your physical world and have them as two different things. And we
will basically help you have one which helps you put security across
all of your environments.
Lastly of course, when you look at the great deployment mechanisms
that the Tivoli team are talking about in terms of cloud security,
what company is better positioned to help you as you're provisioning
workloads, as you're working on these cloud environments, to also
make sure that security is a part of that? IBM has great capabilities
there and is uniquely suited to do so. Lastly, of course, is the
consumerization of IT, which we spoke about as the driver of many
different challenges that you are facing here. This is a very
complicated one, because of course it's well beyond controlling
access; it's really about the usage of the devices themselves. We
have, working with the Tivoli group, spectacular capabilities in this
area with the Tivoli Endpoint Management product which in IBM's case
alone, of our own use case, is managing, I believe, almost one
million endpoints between all of our laptops, all of our servers and
all of the mobile handhelds. And the security capability of that
allows you to do mobile data management and data wipe even on your
handhelds -- what a spectacular capability that spans all of the
infrastructure. Watch as well for us to be able to incorporate some
of the other capabilities we spoke about in terms of security and
threat management and access management and making sure that we can
apply these capabilities as well in the mobile world. And the last
thing I spoke about was of course data explosion. There's a
counterintuitive notion which drives to the heart of what Sandy
exposed and what I spoke about, which is, as you suffer and drown in
logs and the misery of security data, we will come and ask you to
collect more. [ LAUGHTER ]
And we will do that because it is context that will empower you to
get a better handle on what is happening inside your environments.
Attackers don't have the context of your business. They can never
understand the context of your business. They can never understand
the context of your network and the complexity of it. By collecting
the data, you can understand the context of your networks and you can
basically indicate what's normal and what's abnormal.
And it really works. That oil company, a couple of billion records a
day, gets it down to 10 or 25 offenses for human beings to manage.
And that's what analytics can do and should do. And you know what?
That's what my company was pioneered. But let's be honest. It's been
done in other industries and applied to other areas for a long time;
it's about time we applied it to security.
And I believe Disney will speak later about the application of
security intelligence to their environment and how they also reduced
this data down substantially. You can get control of this data. The
products basically are there to allow you to do it today.
So our job at IBM is to basically help you over the relentless grind
of continuous improvement. Danny made it sound so good. [ LAUGHTER ]
Right? Day after day, week after week, month after month. There's a
lot of excitement over new products, and there should be.
Our commitment to you is that we will support those products in terms
of our integrations because we have to because you use some of these
other products and you need them. And sometimes there are spectacular
innovations which occur.
But a spectacular innovation of a point product is not a security
strategy and it is not a voyage to get you to have a stable security
environment. The value proposition that IBM can bring to you is that
we can provide a framework that you can hang your security strategy
from with a spectacular set of capabilities, technologies and
services that will put that in context. The areas where we have
technologies, people with identity and access management and a leader
for many, many years.
And very significantly important with going forward, with increased
investments and connections with the other aspects of our portfolio.
Data -- knowing every access in a database down to every field. Who's
up to it? Is it a privileged user or not? IBM can do that.
Applications -- understanding if the applications being put up in
your environment are secure, do they have vulnerabilities, do they
have exploits? IBM can do that, and it then can help you put those
skills, put that discipline right into the development process so
that this stuff happens at the source not at the destination.
We've all been in this business a long time; when you wait until the
end it costs so much to remediate. Ask that federal security company
whose entire business was brought to its knees because of an SQL
injection attack which could have been detected when the code was
written. It could have been detected by black box testing; none of
which happened. I spoke to another company. They do not allow a
single new application to go out to their network which has got any
sensitive data on it, near any sensitive part of the network unless
it has been scanned and increasingly unless the code has been
produced securely.
We can help you with that. And guess what? It's kind of a "duh" -why would you allow that to happen? But of course we have to because
of the complexity, but we hope to help you with that. And then of
course lastly, there's the infrastructure products. For us, they are
our endpoint management products to help you manage the endpoints in
a secure fashion; the mobile security products; and of course, our
threat protection products, which actually are increasing in
importance with the emergence of advanced persistent threats. It's
not about IPSs and looking at a signature and matching that
signature. That's like the TSA at the airport. It's important but
it's insufficient. You also must be able to link it with a much
broader set of capabilities and knowledge about what's happening on
the Internet, about what's happening in your company with security
intelligence, Internetelligence linked with that threat protection
product. And IBM will help you do that, too.
So our job is not to come in with a massive, big portfolio and say,
you must have it all. We won't do that. We will basically commit to
having a whole portfolio, an ecosystem of products and vendors which
are in your environments which we will work with. And then we will
just help you on the relentless grind of continuous improvement to
march up, make it better, segment by segment. And in this industry,
which vendor is more suited to help you do it? Is it going to be the
next generation firewall vendor? Or is it going to be a company like
IBM? I put it to you, it's going to be a company like IBM. There's
only so much you can put in a firewall. I call them "fridgerovens" at
this point in time. [ LAUGHTER ]
So to summarize, and then I will make it available, I think we've got
a few minutes for questions, although I'm not sure if that timer is
working properly. There's one key thing which is happening in
industry. We call it security intelligence and analytics. It's a
great capability. IBM recognized it. It's going to apply to all of
our customer environments if you let us. It's different than SIEM and
log management, of which we have SIEM and log management capabilities
because that's what people buy.
Yes, we have SIEM and log management products. First generation SIEM
and log management products are an appalling, complex framework that
add to the complexity of your environments. Our analytics solutions,
our appliance based, come out of the box, start allowing you to get
value and analytics out of them as opposed to you building things,
which we where we have to move from. It's great for the NSA to spend
hours and hours with the Ph.D.s building little products and putting
them together; it's not good enough for you, and that's why these
companies are getting into these problems.
The second thing which we will do is we will work and deliver best in
class products. Of all of the products in this framework, which is
about 11 of them, I won't mention the analyst firms, there's about 11
of them tracked by external analysts. We are leaders in nine. Would
you ever know it? You wouldn't know it because they were in different
places. Never in the IBM Security Systems Division.
The third thing is IBM has heard you and listened to you with regard
to your concerns around security, which are valid. And it's different
than the way other vendors, big systems vendors approach problems.
IBM has basically taken these leading-edge technologies which were in
different places, a reflection of the complexity that the industry
had and has put them in one spot: the IBM Security Systems Division.
The IBM Security Systems Division is developing a set of capabilities
and frameworks which tightly linked with our services organizations
and our GTS organizations in terms of the professional services,
manage services and other capabilities which we can deliver to our
So we can help you do assessments. We can help you staff and we can
help you build capabilities around these products. This is a huge
significance, many, many years. Some of these little companies [RSA],
I don't know if they'll be there next month. In our space of just
SIEM and log management, there were 22 vendors in the segment.
They're still there. They never go away. And some poor soul is buying
some of those products. Well, IBM will be here in a month and it will
be here in 10 years. And it will have a security division, and it
will be making significant investments in that area.
So with that, I will hand it over to you for any questions which you
may have. Thank you.
BIRD: Is there any mechanism for actually...somebody over here actually
has a microphone. We have four microphones. I actually can't see
anybody, so just raise your hand. [ LAUGHTER ]
HANNIGAN: We've got a few questions in the back there, I believe. This
gentleman here. Hello?
QUESTION: Hi. What are some major changes we can expect within the next
second and third quarter of the year?
HANNIGAN: I'm sorry. I didn't hear that.
QUESTION: What are some major changes we can expect within the second and
third quarter of this upcoming year?
BIRD: I think it's hard to hear, guys. There's an echo. But I think they
asked what were some major changes that would be happening over the
second and third quarter of this year. So things like, as an example,
in the second quarter we're adding in all of the threat feeds Brendan
talked about, about the largest URL database and all of the
classifications. We're actually plumbing that across all of the
security products in the division, so things like the Q Radar product
will gain all of that IP reputation data, all the anonymous proxy
data, all the things that that research firm is doing. That's also
going into the IPS platform, as well. So again, we'll be using that
across the security products. That's an example of something we're
adding this year.
HANNIGAN: Yes. We actually have, in each of the frameworks, we've got
huge deliveries in each and every one of them. The most significant
things to watch for is a whole architecture around how we're going to
deliver and help you solve advanced persistent threats. The second
thing is some of the key integrations that Sandy spoke about. I think
one of the things that keep a lot of people up at night is how do you
handle the personnel issue? You have a person like a Manny who went
out and had access to the system, was able to grab a huge amount of
data that it wasn't supposed to have. Or the social engineering
issues where you have somebody, say, out of high school for a year
has access, somebody gives them a telephone call and they start
passing data off or passing something down because of social
engineering. How do you work on that type of issue?
HANNIGAN: It's a wonderful question. And it's a very valid, valid, valid
concern. The issue there is obviously there's a huge element of
education and we have ways of helping you with education. And then,
actually, recently I was saying, a reporter asked me, can you
ever...will we ever be able to guarantee that there's no crimes,
cybercrimes? Well, after the Mayor of New York has guaranteed there
would be no cybercrimes in New York, sure. But the problem is we have
the reality, some of this is going to happen. And our trusted
advisor...our trusted employees are always going to be a concern,
especially because of the volume of information that they now have
access to.
So there's a few things which are important. Identity and access
management. Understanding the usage of privileged identities. So you
can educate "restrict access," but then you must monitor that access.
So we want to link security intelligence and identity to make sure
that we are watching who is doing what and should they be doing it. I
will actually give you a real world example. We had a retailer and
that particular retailer -- I'm not naming names, as you can see -that particular retailer had actually got an internal IT employee
which created unique identities on their infrastructure because they
knew they were about to be dismissed. They were dismissed, everybody
cleared everything up. The guy goes home at night. He uses his secret
identity to go in and start doing damage. What a terrible thing, very
hard to detect. But it was detected -- it was detected through the
analytics being able to watch all the different various connections.
There was unusual stuff happening, the person's been prosecuted. So
education, a realization that internal employees will do bad things
or there may be infected computers which are internal which do bad
things. And restricting information is good, but the reality is
you've got to monitor it in excruciating detail. You just have to.
BIRD: We're also seeing, Brendan, it's interesting. A lot of the database
technologies now for the monitoring and protection side, can mask
parts of the data. Right? So while that call center person that you
give that list of phone numbers to with access to that database,
there's no reason that they necessarily need to see the address of
the person. There's no reason they need to see the full credit card
number. There's no reason they need to see the zip code. Right? So
those protection mechanisms can limit the amount of data for that
semi-privileged user. Right? And unfortunately if you're just giving
them full access to some application logging into Oracle or something
they get to see way too much information. Right? I think as companies
we need to make sure that we start to minimize what people can see.
We're seeing investments by IBM now on technologies that can do that
even at the application level, instead of at the database level
because sometimes it's hard to do at the database level. So those are
some other things to help out. I'm the Tom from marketing that causes
all the security problems. Just in case you forget to do this in the
call to action for everyone here as the architects, product managers
and the technologies that have been talked about are available for
the next three days, 50 tracks. Lots of our customers talking about
their use cases. I just want to do the marketing part and say please
take advantage of this time to meet the people who are building these
solutions. And absolutely, Joe Alvarez would say, please make sure
you meet the sales team as well. [ LAUGHTER ]
HANNIGAN: Yes. Thank you for Tom. We do. We have a lot of tracks. And
actually a lot of customers talking about our technologies. Thank
you, Tom for pointing that out. Any questions? Yes. That man there.
QUESTION: ...getting to the access certification [INAUDIBLE]. Like the
other companies doing that you are not heavily involved or invested
in access certifications.
BIRD: I missed that one, too.
HANNIGAN: I can't hear him. Yes. It's very hard to hear. I'm very sorry.
QUESTION: I'm talking about access certifications. When you try to look
at employee access. You want to certify the company.
HANNIGAN: Oh, yes.
QUESTION: That is not something that we had planned immediately to get
into to sort of.... have access to.
HANNIGAN: Yes. So, we do have access certifications around people that
have access to for sure. That's a key part of our identity portfolio.
But in terms of verifying some of these, who they are on the outside
-- which I think may have been your question -- that's not something
we do. We manage the identities, but not necessarily absolute
guaranteeing by people presenting passports, et cetera. We don't do
that. I have a question right here to your right. To your right.
There we go. Sorry. [ LAUGHTER ]
QUESTION: It's okay. A lot of this malicious code just mimics really good
code sometimes, as well. So a lot of our techniques, our traditional
techniques, don't capture that bad behavior. When are we going to get
to a point where.... And also, I don't want to be the first guy
getting hit. Right? I would rather be the fourth or fifth person when
the signature is already out. We already know what the problem is. So
how do we get to a point where we're looking at code as in enters our
environment or before it enters our secure environments and we're
seeing its behavior and we can do something about that? When are we
going to get to a point when we can see that?
HANNIGAN: So I'm going to let Sandy answer that question. But before I do
I am going to say you touched on something else, which is something
that again, think of IBM corporation and the data we have available
to help our customers. What we want to do is, over time, is we want
to leverage that data, feed it into our products, but then also start
creating a feedback loop so let's hope it's somebody else and not
you. But then we benefit from that data. And then you don't get hit
because we know about it. But Sandy, specifically on the code.
BIRD: Yes. So there's two parts to it, actually. For many years, Q1 Labs
as a company has been looking at the behavior of endpoints and
applications and users and things like that. The code is already in
at that point, absolutely. But looking at the behavior change that
happens on that endpoint when it becomes infected in that code.
Another retail, a different retail customer, I remember once doing a
proof of concept with them and literally the second day that we were
there they discovered that they had these three machines that
basically beaconed and downloaded a very tiny GIF image from
somewhere. Had anti-virus on the machines, had everything on the
world on the machines, but it was doing this over and over again.
Those IP addresses didn't show up on any known command control
channels or anything. They basically, out of safety, re-imaged the
machines and the activity went away. Right? So behavior profiling
with those applications at endpoint is absolutely important and we
can do that for you today. But you are also talking to some extent
about basically taking all of the attachments in your email that have
executable code in them, taking all the Word documents that you
download off the Web, taking all the PDF files you have, basically
creating some sort of intermediary point that can spin those things
up, look at what they're doing and say, is this something that's
acceptable in my organization? Why is the Word document connecting a
system in China? That doesn't make any sense. Those types of things.
And we're absolutely looking at that as IBM as a direction because it
has very useful mechanisms in avoiding those kinds of advanced
persistent chunks of code.
QUESTION: Hi, guys. With the consumerization of mobile everything else,
we're seeing more and more false events because everyone has five,
six devices and they're always trying to connect. And so how do you
plan on marrying the mobile products with the traditional SIEM
products that you have so we can actually start to reduce some of
these false events that are now happening from everyone?
HANNIGAN: That's the last question, actually. So Sandy, you will answer
it and then we're done.
BIRD: It's interesting when you deal with SIEM technologies and you deal
with the rules and things within them, whether it's mobile devices or
Skype's my other arch-nemesis. I'm trying to understand its
communications because it's changing them all the time and it creates
all kinds of interesting connections and you have people coming in
from all over the place. We have to basically start to profile what's
normal, is what I find. What is normal for those applications? What
is normal for those users? What's normal for those endpoints? And
then once we have that profile, it starts to become something we can
use as a differentiator. Oh, that mobile phone before was doing this
type of activity and now it's doing this. We see that. My worry is,
though, on the consumerization of IT is that those phones sometimes
aren't going through a control point that you can even see that. If
it is, that's great. You're getting the events and maybe you have to
do some interesting tweaks around the algorithms to make that work.
But what if you're not seeing it? Right? I think at RSA there was an
interesting, interesting breach that was over SMS. The actual breach
happened based on a text message. That's not going through any of
your control points at that point. Right? So you need to make sure
you have something on the phone that's actually gathering that data
and can put control points in there.
HANNIGAN: Thank you very much everybody.
BIRD: Thank you guys.
HANNIGAN: Feel free to come to all of our sessions. Thank you. Thank you.
Пожаловаться на содержимое документа