Chief Information Security Office - IBM CIO

Swimming with Sharks

David P Merrill
Threat Landscape
As threat evolved to typical blended self-mutating bots, traditional endpoint
AV approaches became less effective
Nature of most bots seen in current landscape do not lend themselves to signature-based
detection methods
Malware continues to be a primary security concern for all enterprises
- Sensitive data loss, intellectual property, customer data
- Login credential loss and subsequent use of enterprise infrastructure for malicious
purposes
Service availability issues
2
Malware has become a multi-billion dollar
business
- Malware development has evolved as any
software development (Toolkits, portable exploit
code, etc)
Problem Statement Swimming with Sharks
Evolving IT business models have increased risk to clients and infrastructure
Partnering with other companies for Joint Development projects
Outsourcing of internal network
Increased pace of Acquisitions and Divestitures
Continued increase in percentage of workers connecting from/working in unprotected
infrastructure
Number of non-standard endpoints can be a key concern
Increased business assets in areas of the world that are increasingly known for
malware development.
3
4
5
Tivoli Endpoint Manager, Built on BigFix Technology
Patch Management Inventory
Asset Management
Software
Distribution
Patch Mgmt
Remote control
Operating System
Deployment
Security
Configuration
Vulnerability Mgmt
Patch Mgmt
Asset Discovery
DSS SCM
Client manager for
Endpoint Protection
Network Self
Quarantine
Power Management
6
The Shark Cage
Without Cage With Cage
Patch availability typically 3-14+ days Patch availability within 24 hours
92% compliance within 5 days (ACPM
only)
98% within 24 hours
EZUpdate sometimes misses
application of patches on required
machines
Detected about 35% of participants
missing at least one previous patch
Compliance model, completely reliant
on user
90% of Windows requirements can be
automatically remediated
Exceptions at machine level Exceptions at setting level
7
8
BigFix Challenge: Updated Timeline
December January February March April May June July
Asia BES live
Install Americas relays
Europe BES live
Install Europe relays
Install Asia relays
Americas BES live
Global client
code deploy
Activate Asia client
Activate Americas client
Activate Europe client
Freeze Freeze Freeze
Green = accomplished tasks
IBM currently using TEM for Sec Config and Patching
across all Windows clients globally, Mac and Linux
added in 2H11
>470K clients
installed globally
1H 11 : Met challenge from CIO and SWG Execs to complete deployment in 6 months
BES = BigFix Enterprise Server
Strategic Perspective:
Whats next.Things that Matter
Endpoint Management Convergence Matters.
Why does this matter?
Cost
Compliance and reporting
Enablement of role-based security management
Proliferation of tactical mobile security tools and point products
Served purpose
Ultimately inefficient and complex
Consistency across all endpoints
Tablets and smartphones are really just computers
Same data at risk
Extend security standards Roles Configuration policies
11
Questions?
Definitions
Malware = Malicious Software
Endpoint Security Control ISS solution OEMed from BigFix that provides real-time security
configuration and patch management (among other capabilties)
ITMS = IBM Threat Mitigation Service, includes IPS-based detection PLUS network detection to find
traffic flows to known command-and-control servers associated with botnets (AKA ThreatFlow)
Bots short for robot, malware that usually consists of multiple components, controlled out a bot
herder the owner and controller of a botnet, typically invisible to user, poorly detected by definition-
based security tools
Botnet a network of bot compromised machines typically used to perform various activities by its
owner. Activities include SPAM, click-thru fraud, DDOS
Tickets = ManageNow tickets, in the context of this presentation typically used for the disconnection
of compromised endpoints
12