© 2014 IBM Corporation

2014 보안 위협 동향과 내부 통제를 위한 IBM 의 제언2014 년 5 월 20 일

Security Framework with Q-radar

김도형 Manager (SK Planet)

© 2014 IBM Corporation2

About me

SK Planet

MSS & Security for Public service and IDC

POSCO

Enterprise Security Program & Governance

NCA

KIX, NCA-SIGN, Web-Hostng for Public Service

Government Policy Advisory

KISA

Standardization, Krcert/CC

Army

Network & Server administrator

© 2014 IBM Corporation3

Agenda1. Introduction

2. Security Threat Landscape

3. Security Threat Detection

4. Security Monitoring & Response

5. Security Portfolio & Q-radar Implementation

6. Hurdle

7. Q & A

© 2014 IBM Corporation4

About SK Planet

History : SK M&C(2008.4) + SK Planet(2011.10)

Mission : HUG

Business Area

– Digital Contents : T Store, hoppin, T Cloud, Tictoc, Cyworld, Nate, NateOn, Cymera

– Integrated Commerce : 11st, Gifticon, Smart Wallet, Paypin, Styletag, T Shopping

– Marketing Communication : OK Cashbag, BENEPIA

– Location Based Service : T Map, picket, OK Map, NaviCall

– Advertising

Affiliates : SK Communications, Commerce planet, M & Service

Introduction

© 2014 IBM Corporation5

IT are varying and threats are evolving.

Security Threat Landscape

Ref : http://blogs.cisco.com

© 2014 IBM Corporation6

Threats are widespread and protection can be changed

Security Threat Landscape

Ref : 2012 ENISA Threat Landscape report

Ref : Modification of IPA Report

© 2014 IBM Corporation7

Morris worm and CERT®

Security Threat Detection

Staff

Procedure

Technology

© 2014 IBM Corporation8

Quiz

Security Threat Detection

© 2014 IBM Corporation9

What are necessary and sufficient conditions for security monitoring & response ?

Security Monitoring & Response

Staff

Procedure

Technology

- Vulnerability Management

- IDS & IPS Operation

- Log management & Co-relation

- Security Insight

IBM Security Portfolio

- Internet Security Systems

- Watchfire (Appscan)

- RealSecure (Proventia)

- Q-radar (EP, FP, VM, RM, Forensic, etc)

- X-force

© 2014 IBM Corporation10

Comparison

Security Monitoring & Response

Airport Inspection MSS

Traveler Who/What Internal Asset

Pre-existing conditions Symptoms Vulnerability

Thermal detection sensor Tools IDS / IPS

In-depth Inspection Responses ?

Risk ManagementPost-mortem ?

Advance-knowledge ?

Government Policy ?

Triage

© 2014 IBM Corporation11

Why do you think Q-radar is special ?

Security Portfolio & Q-radar implementation

Co-relation

(Q-Radar)

Logs

Asset

Network Hierarchy

Network Flow (Q flow : IPFIX, J/N/S/flow)

Vulnerability(QVM)

Risk& Config(QRM)

Offense(Ticket)

NBAD(Threshold) Threat Insight

Black list

© 2014 IBM Corporation12

Why do you think Q-radar is special ?

Security Portfolio & Q-radar implementation

Ref : Youtube(Jose Bravo)

© 2014 IBM Corporation13

How do we as a customer rather than a solution provider monitor threats ?

Hurdle

Staff- Technical education & training

Procedure- Process Integration with solutions

Technology

- Vulnerability Management

- IDS & IPS Operation (Local

Vendor)

- Log management & Co-relation

- Security Insight

- Risk Management

IBM Q-radar ( + 3 Party)

- QVM (+ 3 party)

- DSM (Ex : IDS + 3 party)

- Event Processor (Q-radar default)

- X-force Premium Service

- QRM

Enterprise environment

- Internal Asset, Network Hierarchy

- Network Operation & Devices

- Log source & normalization

© 2014 IBM Corporation14

A few difficulties In the real world to implement security monitoring and response

Concept VS Implementation

Tailored process

Ticket

Rule & Methodology

QID Mapping & Normalization

Hurdle

© 2014 IBM Corporation15

feel free to ask questions and share the idea

Q & A

© 2014 IBM Corporation16

End of Presentation