© 2013 IBM Corporation

Kim jesteś …?

Zbigniew Szmigiero, Customer Technical Professional – IBM Security Systems.

© 2013 IBM Corporation2

IPS

• Działają w oparciu o sygnatury i reguły do warstwy 4• Niewystarczające do identyfikacji APT, fraudów

wycieków danych• Podatne na ataki DDoS• False-Positive vs. False-Negative• Ciągle ważne ale trzeba czegoś więcej

© 2013 IBM Corporation3

NG IPS

© 2013 IBM Corporation4

Ochrona danych

• Identyfikacja danych wrażliwych (włączając migrację)• Monitorowanie dostępu do nich• Używanie szyfrowanie wszędzie gdzie to możliwe

© 2013 IBM Corporation5

Guardium 9.1

Integration with LDAP, IAM, SIEM, TSM, Remedy, …

Big Data Environments

DATA

InfoSphere BigInsight

s

CouchDB

GreenPlum

SAP HANAAmazon RDSCassandraHbase

© 2013 IBM Corporation6

Detekcja anomalii w DAM

Anomaly Hours are marked in Red or Yellow. Click on the bubble

navigates to the Outlier View

© 2013 IBM Corporation7

Szyfrowanie danych

APPLICATIONS

DATABASES

SAN

NASDAS

FILE SYSTEMS

VOLUME MANAGERS

HTTPS

Data Security Manager• FIPS Level 3 Key Management• Centralized, Automated Key Management• High Availability Cluster• Robust role separation

Encryption Expert Agent• File System or Volume Manager • Transparent and agnostic• Supports Linux, Unix, & Windows• Privileged User Control and Separation• Software-based encryption

© 2013 IBM Corporation8

Szyfrowanie danych

Name: J Smith

CCN:60115793892

Exp Date: 04/04

Bal: $5,145,789

SSN: 514-73-8970

Name: Jsmith.doc

Created: 6/4/99

Modified: 8/15/02

Clear Text

File DataFile Data

File SystemFile SystemMetadataMetadata

dfjdNk%(AmgdfjdNk%(Amg

8nGmwlNskd 9f8nGmwlNskd 9f

Nd&9Dm*NddNd&9Dm*Ndd

xIu2Ks0BKsjdxIu2Ks0BKsjd

Nac0&6mKcoSNac0&6mKcoS

qCio9M*sdopFqCio9M*sdopF

Name: Jsmith.docName: Jsmith.doc

Created: 6/4/99Created: 6/4/99

Modified: 8/15/02Modified: 8/15/02

MetaClear

Block-Level

fAiwD7nb$

Nkxchsu^j2

3nSJis*jmSL

dfjdNk%(Amg

8nGmwlNskd 9f

Nd&9Dm*Ndd

xIu2Ks0BKsjd

Nac0&6mKcoS

qCio9M*sdopF

• Protects Sensitive Information Without Disrupting Data Management• High-Performance Encryption• Root Access Control• Data Access as an Intended Privilege

File Data

File Data

File Data

File Data

© 2013 IBM Corporation9

Jakość kodu aplikacji

• Kto programuje Twoje aplikacje?• Jak sprawdzasz jakość kodu?• Jak kontroluje zmiany i poprawki?

© 2013 IBM Corporation10

Pełnowymiarowa analiza aplikacji - AppScan

BrowserBrowser

NativeNativeAppApp

Server Side App

SAST (source code)

DAST (web interfaces)

Client Side App

JavaScript / HTML5 hybrid analysis

Native AppAndroid

iOS

JavaScript

Static AnalysisStatic AnalysisStatic Analysis

© 2013 IBM Corporation11

Jak zarządzasz końcówkami?

• Zarządzanie zasobami• Łaty• Definicja ról i wymuszanie ich stosowania• Monitorowanie dostępu do danych (DLP)• Separacja oprogramowania złośliwego i jego

unieszkodliwianie

© 2013 IBM Corporation12

Pełny cykl życia końcówek - TEM

Windows/Mac Unix / LinuxWindows Mobile

KioskPOS

Android/iOS/Symbian/ Windows Phone

MDMSoftware Usage

OS deploymentRemote Control

Protection

Energy MngtPatch Mngt

InventoryCCM

© 2013 IBM Corporation13

Sites

LICENSE REMOTE

ASSET INSTALL MOBILE

Internet

SW Distrib

PATCH

Jak to działa?

Compliance

Security, DLP

© 2013 IBM Corporation14

Jak to działa?

Przypisanie

TEM SRVTEM Agent

Dane

© 2013 IBM Corporation15

Jak działa exploit?

Exploitation

FileSystem

Legitimate access

WWW

Vulnerability

External Content

Exploit

An exploit is a piece of software that uses an application vulnerability to cause unintended application behavior

© 2013 IBM Corporation16

Weryfikacja stanu aplikacji

Allow application action with a approved state

External Content

FileSystem

Legitimate Access

User initiated

App Update

Application State

© 2013 IBM Corporation17

Weryfikacja stanu aplikacji

Stop application actions with unknown state

FileSystem

ExploitUser Initiated

Application State

App Update

Trusteer Apex Stops

Execution

© 2013 IBM Corporation18

Evasion #1: Compromise

Application Process

Looks Like Legitimate

Communication

Evasion #2: Communicate

Over Legitimate Websites

Direct Communication is Highly Visible

Blokada komunikacji oprogramowania złośliwego

External Network

Information- stealing malware

Block suspicious executables that open malicious communication channels

2Exfiltration Prevention

1Exfiltration Prevention

Direct User Download

Pre-existing Infection

© 2013 IBM Corporation19

KeyLogging

Ochrona przed kradzieżą tożsamości (ATO)

PhishingUsing Corp

PWD on Public Sites

******

WWWWWWGrabbing credentials

from websites

*****

Grabbing credentials from users’

machine

Password Protection

KeystrokesObfuscation

© 2013 IBM Corporation20

Niekończąca się historia

WWW

Phishing and Malware Fraud

Advanced Threats

(Employees)

Online Banking

Wire, ACH, Internal Apps

Account Takeover, New Account Fraud

Mobile Fraud Risk

© 2013 IBM Corporation21

Niekończąca się historia

© 2013 IBM Corporation22

Niekończąca się historia

Global

Hundreds of Customers

100,000,000 Endpoints

Solutions

Financial Fraud Prevention

Advanced Threat Protection

Leader

Intelligence

Technology

Expertise

Leading Global Organizations Put Their TRUST In Us

7/10Top US Banks

9/10Top UK Banks

4/5Top Canadian

Banks

MajorEuropean Banks

© 2013 IBM Corporation23

Oprogramowanie złośliwe

TRX

WWW

Online Banking

4Prevents credential and data theft that enable ATO and cross-channel fraud

• Retail and Commercial• Scale to millions• No end user impact

1• Removes existing infection• Prevents new infection• Secures the browser

2• Alerts user on Phishing sites• Notifies bank for takedown

Trusteer Rapport

Kills the attack before it even startsKills the attack before it even starts

© 2013 IBM Corporation24

Eliminacja oprogramowania złośliwego

TRX

WWW

Online Banking

Malware-generated Fraudulent Transactions

Malware-generated Fraudulent Transactions

Credentials Theft via Malware and PhishingCredentials Theft via

Malware and Phishing

Trusteer RapportTrusteer Rapport

Trusteer PinpointMalware DetectionTrusteer Pinpoint

Malware Detection

© 2013 IBM Corporation25

Identyfikacja anomalii

Logi

n

Online Banking

Trusteer PinpointMalware DetectionTrusteer Pinpoint

Malware Detection

Monitor Account (Re-credential User)

3rd party risk engine

Restrict Web App

(add payee)

Remediate and Immune Customer

3

Trusteer Rapport

Out-of-Band Authentication

Trusteer Mobile OOB

Trusteer Pinpoint ATO,

Mobile Risk Engine

© 2013 IBM Corporation26

Kradzież tożsamości i ATO

LOG

INCredentials

Online Banking

Trusteer PinpointAccount Takeover (ATO) Detection

Trusteer PinpointAccount Takeover (ATO) Detection

2

Trusteer PinpointMalware DetectionTrusteer Pinpoint

Malware Detection

1

LOG

IN

Complex Device Fingerprinting

Device Attributes•New Device•Spoofed Device •Criminal Device

User Attributes•Interaction Patterns•Geo Location•Time of Access

Account Compromise History

Phished Credentials

Malware Infections(stolen credentials)1

2

1 2+Access Denied

© 2013 IBM Corporation27

Phishing i ATO

LOG

INCredentials

Online Banking

Complex Device Fingerprinting

Device Attributes•New Device•Spoofed Device •Criminal Device

User Attributes•Interaction Patterns•Geo Location•Time of Access

Account Compromise History

Phished Credentials

Malware Infections(stolen credentials)

1

2

1 2+Access Denied

Phishing Site

Office Home

Trusteer RapportTrusteer Rapport

Trusteer PinpointAccount Takeover (ATO) Detection

Trusteer PinpointAccount Takeover (ATO) Detection

2

1

© 2013 IBM Corporation28

Kradzież tożsamości

Online Banking

New Account Creation

PII DataTheft

2

1 2/

Tag as Fraudster

Trusteer PinpointMalware DetectionTrusteer Pinpoint

Malware Detection

1 Trusteer PinpointAccount Takeover (ATO) Detection

Trusteer PinpointAccount Takeover (ATO) Detection

Account and Device Risk

Credential PII/Theft via Malware or Phishing

Same Device -> Multiple Trusteer-protected FIs

Same Device -> Multiple Accounts, Single FI

1

2

Trusteer RapportTrusteer Rapport

© 2013 IBM Corporation29

Niezależny kanał uwierzytelnienia

Access DeniedAccess Denied

LOG

IN

Online Banking

Trusteer PinpointATO Detection +

OOB Service

Trusteer PinpointATO Detection +

OOB Service

ATO Risk DetectedATO Risk Detected

Trusteer Mobile APP

Secure OOB Access Authorization:Approve access via registered device

SMS or Data

© 2013 IBM Corporation30

ATO i Fraud Mobilny

Online Banking

Credentials

Restrict AccessRestrict Access

CredentialsTheft

Trusteer PinpointMalware DetectionTrusteer Pinpoint

Malware Detection

LOG

IN Trusteer Mobile Risk Engine

Trusteer Mobile Risk EngineAp

p Lo

gin

Mobile Device Risk Factors

Device Attributes•Jailbroken / Rooted Device•Malware Infection•New device ID•Unpatched OS•Unsecure Wi-Fi connection•Rogue App

Account Compromise History

Phished Credentials

Malware Infections, Phishing Incident(stolen credentials)1 2

The Bank’s Mobile Banking App

The Bank’s Mobile Banking App

Trusteer Mobile SDK

Trusteer Mobile SDK

Trusteer RapportTrusteer Rapport

© 2013 IBM Corporation31

Co dalej? czy Gdzie zacząć?

• Wiele rozwiązań, konsole, mnóstwo danych, ograniczone zasoby

• SIEM – platforma integracji zdarzeń związanych z bezpieczeństwem

• Ile incydentów generuje SIEM?• Incydent kontra Ryzyko• QRadar – Platfoma analizy ryzyka (NG SIEM)

© 2013 IBM Corporation32

QRadar

© 2013 IBM Corporation33

„Nigdy nie lataj samolotami projektowanymi przez optymistów.”

Służy radą pozytywnie pesymistyczny zespółIBM Security Systems