IBM developerWorks is hosting two of IBM's SIEM experts in a "crowd-sourced" video interview on the topic of "Anomaly detection challenges in SIEM". Rory Bray (IBM's security intelligence architect) and David Druker (security solutions architect) will be discussing your challenges and issues. Got a question you'd like to submit? Send your questions by email before September 3rd. See http://www.ibm.com/developerworks/library/se-siem/index.html for details.
At the recent Smarter Analytics Live 2013 forum in Melbourne, IBM senior consultant for enterprise content management solutions Adrian Barfield noted that fraud investigators often spend only 20 percent of their time actually doing the analysis work to uncover data wrong-doing. A full 80 percent of the effort goes toward figuring out what information to use and how to use it since today's data stream includes a diversity of information sources and types. Barfield says this has the effect of flipping the conventional model of security information processing upside-down -- you create the context for your investigation by sifting through large volumes of information.
Barfield cautions that "things are becoming more and more complicated" because analyzing structured data is a different task from analyzing unstructured data. Also, you often need to make a correlation between the two types of data: For example, reconciling structured activity logs with less structured help-desk logs or security incident reports. Security officers need a way to quickly identify patterns and build and deploy new security models.
One such tool to help organize this new security paradigm is the open source Apache UIMA project; Unstructured Information Management applications are software systems that analyze large volumes of unstructured information in order to discover knowledge that is relevant to the user. IBM developed UIMA to help make its Watson artificial intelligence platform a reality.
Another IBM tool that helps determine what data is relevant for a fraud investigation is the Intelligent Investigation Manager, a bundle of techniques that optimizes fraud investigation and analysis by dynamically coordinating and reporting on cases and analyzing and visualizing fraud within structured and unstructured data across silos. The component that bridges the gap between structured and unstructured data is Content Analytics with Enterprise Search:
It allows an investigator to cast a wide search net over a range of data types.
It provides the ability to make a fast, comprehensive analysis of disparate data types, enabling the user to classify data into usefulness categories. It also helps to identify emerging trends from mountains of data in order to start formulating a modus operandi for the investigation.
Senior Product Manager for the IBM Enterprise Content Management Solutions Jeffrey Douglas explains more about Intelligent Investigation Manager components in this video interview. 10:44
IBM cloud security expert Kevin Skapinetz describes the unique challenges of securing a cloud environment and how cloud compares to a traditional IT environment. He also discusses considerations for securing private, public, or hybrid cloud environments in various stages of development. Skapinetz emphasizes that cloud computing is transformative to the traditional IT model, so the ways to enable security for a cloud system has to be transformed too; you just can't "bolt" security onto the cloud system after the fact. He outlines the three-pronged method of building security into your cloud:
Design: At the point the customer is deciding how and when to move to the cloud, you wrap security enablement into the strategic planning for such components as networking and storage.
Deploy: During the phase when customers are pushing virtual system components to the cloud (like virtual machines and data), you need to apply any security techniques you would if you were moving these parts to another system; for example, encrypting data in motion and data at rest.
Consume: When customers are interacting with their on-cloud components, you integrate such security methods as policy creation and enablement and application of workload balancing protections.
IBM Security QRadar Vulnerability Manager helps redefine how IT security teams collect and use vulnerability assessment data by identifying your organization's largest exposures and building a smarter remediation and mitigation action plan. It adds enhanced scanning and analysis capabilities to QRadar SIEM, letting users correlate scan results with the security intelligence data of QRadar SIEM. The most security-conscious benefits QVM adds to a protection portfolio is a high level of automation that makes it easy for the security officer to quickly prioritize the vulnerabilities that present the greatest potential dangers and avoid false positives or those already classified as non-threatening -- scans are automatically triggered, launched as the result of network behavior or programmed to run at regularly scheduled intervals against either all components or just a specified subsegment of assets.
In one way, mainframe environments are just like server environments; they are increasingly exposed to the Internet. In a more important way, though, they are different -- they have more complex security requirements than many server systems. Security intelligence -- a single view of threats, automated assistance, deeper experiential insight, and real-time detection -- is the component that allows these two factors to meet and merge into a meaningful solution.
Here are two painlessly short articles that can jumpstart your journey into understanding and implementing an intelligent security policy and mechanism tailored to meet the complex requirements of the mainframe environment:
Part 1 explains security intelligence, outlines the challenges of mainframe security, and details the initial steps to enabling mainframe security intelligence:
How to enable meaningful insights.
How to reduce complexities.
How to detect and prevent exposures.
How to enable task-oriented operations.
Part 2 takes you on a quick tour of the IBM approach and tools to help implement mainframe security intelligence. It points to the IBM Security Framework as the guide and QRadar tools to increase visibility and reduce complexity and zSecure and Guardium software to deepen insights.
Arxan Technologies, a company providing security solutions for mobile apps, is highlighting its April 2013 announcement from IBM Impact 2013 with a webcast, "Mobile App Security: Integrated Protection with IBM Worklight and Arxan," on September 5, 2013. The original announcement introduced Arxan Mobile Application Integrity Protection for IBM Worklight Apps, an integrated solution that enables IBM Worklight customers to protect their mobile apps against hacking attacks and malware exploits. The proactive application integrity protection is delivered by Arxan's Guarding technology; it enables IBM MobileFirst customers to increase security during the app development and deployment processes.
Arxan Guarding uses injection technology to embed self-defending and tamper-resistant protection mechanisms (a network of Guards) directly into the code; these Guards don't require source code modification, they can be integrated into the IBM Worklight build workflow without disruption to the software development process, they go wherever the app goes, and they can be leveraged in two tiers of protection:
A minimal level for all apps developed with Worklight.
A maximum level, suggested for Worklight apps that have custom native code (hybrid mixed and native app types) or a custom shell.