Introducing IBM Security Solutions
Cesare Radaelli
Security Tiger Team Leader, Italy
© 2010 IBM Corporation
IBM’s Strategy
ONE voice for
security.
IBM SECURITY
SOLUTIONS
INNOVATIVE
products and services.
IBM SECURITY
FRAMEWORK
COMMITTED to the vision
of a Secure Smarter Planet.
2
SECURE BY
DESIGN
© 2010 IBM Corporation
The IBM Security Framework foundation addresses your
challenges of cost, complexity and compliance
3
© 2010 IBM Corporation
IBM Security Framework
4
© 2010 IBM Corporation
IBM Security Network IPS GX7800
Fabio Panada
Security Tech Sales Leader
© 2010 IBM Corporation
6
What is X-Force?
X-Force is the pre-eminent security and threat protection brand for IBM customers.
IBM X-Force Research and Development
Content Delivery
Engine
• Continuous 3rd party testing
• Develop new security
engines to solve evolving
threats facing customers
• Execute to deliver new content
streams for new engines
• Add new capabilities to
existing engines to combat
new threats
• Continuously improve security
effectiveness
Research
Industry/Customer Deliverables
• Research all security vulnerabilities
• Expand current capabilities in research
to stay Ahead of the Threat
• Continue unique vulnerability, malware
and content filtering research
The world’s leading enterprise security R&D organization
• Blog, Marketing, and Industry
Speaking Engagements
• X-Force Database
Vulnerability Tracking
• Trend Analysis and Security
Analytics
© 2010 IBM Corporation
2010 – Vulnerability Disclosures are at an All-time High
Vulnerability disclosures up 27% from 2009
● Web applications continue to be the largest category of disclosure.
● Increase in vulnerability disclosures due to significant increases in public exploit releases
and to efforts by several vendors to identify and mitigate security vulnerabilities.
●
© 2010 IBM Corporation
Patches Still Unavailable for Over Half of Vulnerabilities
•
•
Over half (55%) of all vulnerabilities
disclosed in the 1st half of 2010 had no
vendor-supplied patches to remedy the
vulnerability. 71% of critical & high
vulnerabilities have no patch.
Top five operating systems account for 98%
of all critical and high operating system
disclosures in the first half of 2010. The top
five operating systems account for 95% of all
operating system vulnerability disclosures.
© 2010 IBM Corporation
2010 – Public Exploits Increase to an All-time High
●
●
●
Public exploits being released is up about 21% from 2009.
Many of these exploits are being released before a vendor patch is
available.
IPS will continue to move to a more behavioral approach at detecting
classes of vulnerabilities and rely less on pattern matching static
signatures
© 2010 IBM Corporation
Obfuscated Web Pages and Files are on the Rise
Obfuscation is a technique used by software developers and attackers alike to hide or mask
the code used to develop their applications.
●
The level of obfuscation found in
Web exploits continues to rise.
●
Attackers continue to find new
ways to disguise their malicious
traffic via JavaScript and PDF
obfuscation.
●
Exploit toolkit packages continue
to favor malicious Adobe Flash
and PDF, along with Java files.
© 2010 IBM Corporation
Drivers Influencing IPS Evolution
IPv6 – Deployments of IPv6 networks (and heterogeneous IPv4+IPv6) are picking up speed.
Performance – 20 gigs and beyond.
- As networks grow larger and faster there will be a need for more speed
- As more technologies converge with IPS more bandwidth will be needed
Vulnerabilities and Exploits – The number of vulnerabilities and public exploits being disclosed is increasing
each year
– Behavioral deep packet inspection protocol decodes will continue to be more important.
– Attackers are hiding their exploit code inside of compound files and container files, making simple
pattern matching IPS techniques less useful
– IPS must use more behavioral and anomaly detection and less pattern matching.
Obfuscation – Increases in the obfuscated web pages and files.
– Obfuscation detection will continue to evolve in IPS.
Evasions – New evasion techniques will continue to be discovered
Applications – The number of web applications will continue to increase
– Application identification, control (allow/deny), and QoS will be important.
Compound Documents and Container Files – Increasingly used in attacks.
– The need to look “inside” of PDF files and Office documents
© 2010 IBM Corporation
Introducing IBM Security Network IPS GX7800
Key Pain Points
Core Capabilities
•
•
•
•
Beyond traditional network IPS
to deliver comprehensive security
including:
Balance security and performance of business critical applications
Address changing threats with limited expertise, resources, and budget
Reduce cost and complexity of security infrastructure
Larger organizations require security at network core
IBM Security Network Intrusion Prevention GX7800 is the
newest addition to IBM’s market-leading portfolio of Intrusion Prevention
security appliances
•Web application protection
•Protection from client-side attacks
•Data Loss Prevention (DLP)
•Application control
•Virtual Patch technology
Unmatched Performance delivering
20Gbps+ of throughput and 10GbE
connectivity without compromising
breadth and depth of security
Evolving protection powered by
world renowned X-Force research to
stay “ahead of the threat”
Reduced cost and complexity
through consolidation of point
solutions and integrations with other
security tools
© 2010 IBM Corporation
IBM Security Network IPS Overview
GX7800
Industry-leading solutions for Remote segments, Perimeter,
and Core deployments
NEW
Comprehensive line of models available
– Performance surpassing 20Gbps inspected throughput capacity
– Up to eight protected network segments
IBM Security Network IPS Throughput Metrics
Remote
Segments
13
Perimeter
Core
Model
GX4004-V2-200
GX4004-V2
GX5008-V2
GX5108-V2
GX5208-V2
GX6116
GX7800
Inspected
Throughput
200 Mbps
800 Mbps
1.5 Gbps
2.5 Gbps
4 Gbps
8 Gbps
20 Gbps+
Protected
Segments
2
2
4
4
4
8
4
© 2010 IBM Corporation
Beyond Traditional Network Intrusion Prevention
Virtual Patch
What It Does:
Shields vulnerabilities
from exploitation
independent of a
software patch, and
enables a responsible
patch management
process that can be
adhered to without fear of
a breach
Why Important:
At the end of
2009, 52% of all
vulnerabilities disclosed
during the year had no
vendor-supplied patches
available to remedy the
vulnerability.
Client-Side Application
Protection
Web Application
Protection
What It Does:
Protects end users
against attacks targeting
applications used
everyday such as
Microsoft Office, Adobe
PDF, Multimedia files and
Web browsers.
What It Does:
Protects web applications
against sophisticated
application-level attacks
such as SQL Injection,
XSS (Cross-site
scripting), PHP fileincludes, CSRF (Crosssite request forgery).
Why Important:
At the end of 2009,
vulnerabilities, which
affect personal
computers, represent the
second-largest category
of vulnerability
disclosures and
represent about a fifth of
all vulnerability
disclosures.
Why Important:
Expands security
capabilities to meet both
compliance requirements
and threat evolution.
Threat Detection &
Prevention
What It Does:
Detects and prevents
entire classes of threats
as opposed to a specific
exploit or vulnerability.
Why Important:
Eliminates need of
constant signature
updates. Protection
includes the proprietary
Shellcode Heuristics
(SCH) technology, which
has an unbeatable track
record of protecting
against zero day
vulnerabilities.
Data Security
Application Control
What It Does:
Monitors and identifies
unencrypted personally
identifiable information
(PII) and other
confidential information
for data awareness. Also
provides capability to
explore data flow through
the network to help
determine if any potential
risks exist.
What It Does:
Manages control of
unauthorized applications
and risks within defined
segments of the network,
such as ActiveX
fingerprinting, Peer To
Peer, Instant Messaging,
and tunneling.
Why Important:
Flexible and scalable
customized data search
criteria; serves as a
complement to data
security strategy.
Why Important:
Enforces network
application and service
access based on
corporate policy and
governance.
© 2010 IBM Corporation
IPS New Features & Enhancements
PAM 2.0
Add PAM Flow (netflow from Protocol Analysis Module)
Add “network friendly” features
Usability improvements
Check categorization
DLP Lite (based on PAM CA)
SSL decryption
100% SNORT engine
IP Reputation
© 2010 IBM Corporation
For More IBM X-Force Security Leadership
X-Force Trend Reports
The IBM X-Force Trend & Risk Reports provide statistical information about all
aspects of threats that affect Internet security,. Find out more at
http://www-935.ibm.com/services/us/iss/xforce/trendreports/
X-Force Security Alerts and Advisories
Only IBM X-Force can deliver preemptive security due to our unwavering
commitment to research and development and 24/7 global attack monitoring.
Find out more at http://xforce.iss.net/
X-Force Blogs and Feeds
For a real-time update of Alerts, Advisories, and other security issues,
subscribe to the X-Force RSS feeds. You can subscribe to the X-Force
alerts and advisories feed at http://iss.net/rss.php or the Frequency X Blog
at http://blogs.iss.net/rss.php
© 2010 IBM Corporation
You can’t secure what you don’t know. You need good mapping of your sensitive
assets — both of your database instances and your sensitive data inside your
databases.”
Ron Ben Natan, Ph.D., CTO, Guardium
La gestione e protezione degli accessi ai database aziendali :
IBM InfoSphere Guardium
Claudio Balestri - Information Management Sales - Italy
© 2010 IBM Corporation
Agenda
Introduzione alla soluzione
Principali funzionalità
Architettura e ambienti supportati
Vantaggi & Value Proposition
Clienti
© 2010 IBM Corporation
La protezione dei database : la situazione oggettiva
1.
Minacce dall’esterno
•
2.
3.
Prevenzione del furto di dati
Minacce dall’interno
•
Accessi non autorizzati
•
Variazioni ai dati sensibili e agli schemi dei database
Compliance
•
Esigenze di semplificazione dei processi
•
Riduzione dei costi connessi agli adempimenti di legge
© 2010 IBM Corporation
Introduzione alla soluzione InfoSphere Guardium
• Prevenire i cyber-attacchi
• Controlli automatizzati e centralizzati
•
•
•
•
•
•
•
•
•
•
•
•
Monitorare e bloccare gli utenti privilegiati
Rilevare le frodi a livello di applicazione
Applicare i controlli delle modifiche
Notifica degli “alert” in tempo reale
Controllare le firecall ID
Integrazione SIEM
Repository di verifica cross-DBMS
Policies/reports preconfigurati
Gestione dei sign-off
Reporting delle autorizzazioni
Impatto minimo sulle prestazioni
Nessuna modifica al database
• Trovare e classificare i dati sensibili nei
• Valutare le vulnerabilità del database
dbms
• Aggiornare costantemente le politiche di
sicurezza
• Scoprire malware incorporato e bombe
logiche
statiche e
comportamentali
• Verifica della configurazione
• Test preconfigurati basati sugli standard
di best practices (STIG, CIS, CVE)
© 2010 IBM Corporation
Principali funzionalità
In sintesi le principali funzionalità possono essere individuate nelle seguenti 4 aree :
Monitor & Enforce : Effettua sui DB operazioni di monitoraggio e controlli di sicurezza con l’utilizzo di
funzionalità di enforcement.
Audit & Report : Offre una reportistica che rappresenta il risultato di un continuo e granulare tracciamento
e analisi di tutte le attività effettuate sui DB.
Asses & Harden : E’ in grado di seguire il vulnerability management ovvero effettua il delivery di funzioni
di sicurezza e di conformità di tutte le piattaforme DBMS e le applicazioni enterprise.
Find & Classify : Individua tutti i database che contengono dati sensibili e recepisce come essi vengono
acceduti (da parte di applicazioni, processi batch, query ad hoc ecc..).
© 2010 IBM Corporation
Architettura - Scalabile e Multilivello
Oracle on
Linux for
System z
Integration with LDAP,
IAM, SIEM, CMDB,
change ticketing, …
© 2010 IBM Corporation
Piattaforme e ambienti supportati
© 2010 IBM Corporation
Vantaggi introduzione soluzione
Non invasivo sull’infrastruttura e nessun impatto sul DBMS
Non si basa sulla semplice gestione dei Log ( facilmente by-passabili e spesso non considerati validi
dagli auditor )
Controllo granulare delle policies e dei processi di monitoraggio:
Chi, Cosa, Quando, Come
Real-time alerting
Riduce i costi operazionali automatizzando il processo di compliance.
Utilizzo trasparente delle 2 modalità: Hardware & Virtual Appliance.
Performance elevate
Soluzione scalabile
Supporto per le maggiori piattaforme, database, protocolli ,sistemi operativi e applicazioni a livello
enterprise.
© 2010 IBM Corporation
Value Proposition
Prevenire il furto di dati ( cosiddetto “Data Breach” )
o Diminuisce le minacce alla sicurezza dei dati sia dall’interno che dall’esterno.
Assicurare un corretto “ governo e gestione dei dati “
o Previene variazioni non autorizzate ai dati sensibili aziendali
Ridurre i costi “necessari” per rispondere alle regolazioni vigenti in materia di “ Data
Compliance”
o Automatizza e centralizza i controlli
Su tutti i DBMS e le relative piattaforme
Rispetta le principali normative quali : d.lgs 196/2003 in tema di Data Privacy e il successivo
Provvedimento del Garante in tema di accesso e responsabilità per i c.d. Amministratori di
sistema.
o Semplificazione dei processi.
© 2010 IBM Corporation
InfoSphere Guardium: La visione degli analisti
“Dominance in this space”
#1 Scores for Current Offering,
Architecture & Product Strategy
“Guardium, an established provider …
has a large customer base … [and] offers
wide platform support.”
2007 Editor's Choice Award
in "Auditing and
Compliance"
“Top of DBEP Class”
“Practically every feature you'll
need to lock down sensitive data.“
SC Magazine UK awarded Guardium 5 out of 5
stars on Features, The review concludes that
“you have to ask yourself whether you can
“Enterprise-class data security
product that should be on every
organization's radar."
afford not to have Guardium .”
© 2010 IBM Corporation
Principali interlocutori / stakeholder
1/2
Responsabili sicurezza
Stabilire adeguate policies in modalità real time
Tenere sotto il loro controllo l’auditing e la sicurezza degli accessi
Caratteristiche e possibilità di effettuare data mining e indagini sulle violazioni
Responsabili Compliance e Audit
Accessi modulabili in funzione ai profili utente o secondo altre profilature personalizzabili (
separation of duty )
Reportistica che rispecchia ogni tipologia di best practice richiesta
Automatizzazione dei controlli e tempestiva risposta alle richieste di audit.
© 2010 IBM Corporation
Principali interlocutori / stakeholder
2/2
Responsabili Applicativi e Database
Impatto minimo sulle applicazioni e sui database ( il controllo è posto a monte e non è
invasivo )
Possibilità di implementare politiche di Change Management sugli accessi e controlli
relativi.
Ottimizzazione delle performance grazie alle attività di discovery dello strumento che
consentono di profilare gli accessi secondo caratteri di efficienza .
Rispetto di quanto previsto nelle attuali normativi e in particolare per gli amministratori di
sistema ( Provv. Del Garante ) a carico dei quali sono previste anche responsabilità in
caso di mancato rispetto della suddetta normativa e non solo per la parte relativa alla
collezione dei log di sistema.
© 2010 IBM Corporation