What’s the State of Your Endpoint Security?
- 1. © 2016 IBM Corporation
George Mina, Program Director
Mark Hafner, Systems Engineer
What’s the State of Your
Endpoint Security?
- 2. 2© 2016 IBM Corporation
Security teams face an onslaught of serious challenges
Large skills gap
in security expertise
worldwide
83% of enterprises have difficulty
finding the skills they need.
Unfilled security positions are
expected to grow to 1.5 Million
by 2020.4
Data breaches
continue with
no end in sight
Cybercrime is estimated
to cost organizations
$400 Billion per year1 with over
600 million records leaked in
2015.2
Lack of timely and
relevant intelligence
plagues security teams
80% believe if they had
threat intelligence at the time
of the breach, they could have
prevented or minimized the
consequences of the attack.3
1 Ponemon: Cost of a Data Breach Report 2015
2 IBM: X-Force Threat Intelligence Report 2016
3 Ponemon: Cost of a Data Breach Report 2015
4 Ponemon: Cyber Threat Intelligence Report 2015
?
- 3. 3© 2016 IBM Corporation
The perimeter no longer exists
It is wherever your endpoints are – both on and off the corporate network
1 SANS: State of Endpoint Security Survey 2016
- 4. 4© 2016 IBM Corporation
1 SANS: State of Endpoint Security Survey 2016
Endpoints Covered by Security/IR Programs
- 5. 5© 2016 IBM Corporation
1 SANS: State of Endpoint Security Survey 2016
- 6. 6© 2016 IBM Corporation
Remediation and Recovery
0%
5%
10%
15%
20%
25%
Unknown
Less.than.1.hour
1–2.hours
3–4.hours
5–6.hours
7–8.hours
9–16.hours
17–24.hours
More.than.24.
hours
When%responding% to%an%incident,%how% much%time%(in%man5hours)%
do%you%spend%(on%average)%per%compromised%endpoint?
1 SANS: State of Endpoint Security Survey 2016
- 7. 7© 2016 IBM Corporation
The State of Endpoint Security
44% report that one or
more of their endpoints
have been breached in
past 24 months
55% spend 3 or more hours
per compromised endpoint
70% find it difficult or
impossible to determine
when an incident has
been fully remediated
1 SANS: State of Endpoint Security Survey 2016
- 8. 8© 2016 IBM Corporation
• 75% of attacks use publicly-known vulnerabilities
that could be prevented by patching, but hackers
know organizations can’t patch effectively.1
• 99.9% of exploited vulnerabilities were compromised
more than a year after the CVE was published.2
• The average time to detect advanced persistent
threats is 256 days.3
1 CSIS: Raising the Bar for Cybersecurity
2 Verizon: Data Breach Investigation Report 2015
3 IBM: X-Force Threat Intelligence Report 2016
Ineffective patch management
Major contributor to most breaches
- 9. 9© 2016 IBM Corporation
Architecture Complexity Resources
! Multi products, multi agents
! Siloed security & ops teams
! Resource-intensive agent(s)
Why so many endpoint approaches fail
! Infrastructure & resource heavy
! Little pre-built content
! Manual tasks detracts from
higher value projects
! Narrow visibility and coverage
! Slow, scan-based architecture
! Not cost-effective at scale
- 10. 10© 2016 IBM Corporation
Find It.
Discover unmanaged endpoints and get
real-time visibility into all endpoints to identify
vulnerabilities and non-compliant endpoints
Fix It.
Fix vulnerabilities and apply patches across
all endpoints on and off the network in minutes
regardless of endpoint type or network connectivity
Secure It.
Continuously monitor and enforce compliance
with security, regulatory and operational policies
while proactively responding to threats
IBM BigFix®
FIND IT. FIX IT. SECURE IT… FAST
What we do
- 11. 11© 2016 IBM Corporation
IBM BigFix: Bridge the gap between Security and IT Operations
ENDPOINT
SECURITY
Discovery
and Patching
Lifecycle
Management
Software Compliance
and Usage
Continuous
Monitoring
Threat
Protection
Incident
Response
ENDPOINT
MANAGEMENT
IBM BigFix®
FIND IT. FIX IT. SECURE IT.
…FAST
Shared visibility and control
between IT Operations
and Security
IT OPERATIONS SECURITY
Reduce operational costs while improving your security posture
- 12. 12© 2016 IBM Corporation
How we do endpoint security & management
X
üü ü
IBM BigFix Server
Datacenter
Remote Offices
T1
ISDN
56K
WiFi
Lightweight, robust
infrastructure
! Use existing systems
as relays
! Built-in redundancy
! Support / secure
roaming endpoints
Cloud-based
content delivery
! Highly extensible
! Automatic,
on-demand
functionality
Single intelligent agent
! Performs multiple functions
! Continuous self-
assessment and
policy enforcement
! Minimal system impact
(< 2% CPU)
Single server and console
! Highly secure
and scalable
! Aggregates data,
analyzes and reports
! Pushes out pre-defined /
custom policies
Cable / DSL
3G
Real-time visibility, scalability,
and ease of use
Satellite Cable / DSL
BigFix Content Delivery
INTERNETT1 WiFiWAN
- 13. 13© 2016 IBM Corporation
Drowning in a sea of cyber threats. What do I remediate first?
- 14. 14© 2016 IBM Corporation
Prioritize risks and expedite remediation of vulnerabilities
IBM QRadarIBM BigFix
Real-time endpoint
intelligence
Enterprise-wide
security analytics
Provides current
endpoint status
Correlates events
and generates alerts
Prompts IT staff
to fix vulnerabilities
• Improves asset database accuracy
• Strengthens risk assessments
• Enhances compliance reporting
• Accelerates risk prioritization
of threats and vulnerabilities
• Increases reach of vulnerability
assessment to off-network endpoints
Integrated,
closed-loop
risk
management
- 15. 15© 2016 IBM Corporation
Step 1
Provide continuous insight
across all endpoints
including off-network
laptops
Step 4
Expedite remediation of
ranked vulnerabilities,
configuration drift and
irregular behavior
Step 2
Enforce compliance of
security, regulatory &
operational policies
• QRadar correlates assets &
vulnerabilities with real-time
security data
• It then sends the prioritized
list to BigFix administrators
• Machine Name, OS, IP Address, Malware incidents
• Provides details on physical and virtual servers, PCs,
Macs, POS devices, ATMs, kiosks, etc.
• All known CVEs exposed on an endpoint
• Quarantine endpoints until
they can be remediated
• Patch or reconfigure endpoints
IBM BigFixIBM BigFix
IBM BigFix
• BigFix sends vulnerability and patch
data to QRadar, automatically ensuring
that QRadar's asset database is
updated with current data
Extend QRadar’s reach and simplify incident response with BigFix
Step 3
Prioritize vulnerabilities and
remediation by risk
- 16. 16© 2016 IBM Corporation
Quarantine non-compliant endpoints
Protect against zero day malware and vulnerability attacks until remediation is complete
1. Automatically assess endpoints
for required compliance configurations
2. Discover and isolate out-of-compliance
endpoints in network quarantine until
compliance is achieved
3. Maintain management control of the
endpoint and disable all other access
Server and Console
X üü
üü
Non-compliant
Endpoint
- 17. 17© 2016 IBM Corporation
Solution:
Comprehensive security solution from IBM that helps
staff secure endpoints and better detect and respond
to threats across the organization.
“We can now quickly, easily and accurately produce
audit reports for HIPAA and meaningful use
compliance. This has helped us obtain a considerable
sum of meaningful use incentive dollars.”
—Eddy Stephens, Chief Information Officer, Infirmary Health System
Business need:
Automate and strengthen security and endpoint
management to better protect data and meet HIPAA
and meaningful use requirements.
Expedite remediation of vulnerabilities
IBM BigFix and QRadar
- 18. 18© 2016 IBM Corporation
• Achieve automatic, continuous, closed-loop
remediation of endpoints
• Compress patch cycle times from weeks and
days to hours or minutes
• Significantly reduce operational costs while
improving security posture
• Implement and enforce continuous compliance
across all endpoints both on and off the
corporate network
Remediate
Evaluate
Report
Find, fix and secure endpoints fast
- 19. 19© 2016 IBM Corporation
Website: www.bigfix.com
Twitter: @IBMBigFix
- 20. © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or
both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on
others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security
- 21. 21© 2016 IBM Corporation
BigFix Architecture
• Highly secure, highly available
• Aggregates data, analyzes and reports
• Manages up to 250K endpoints per server
• Continuous self-assessment
• Continuous policy enforcement
• Minimal system impact
(<2% CPU, <10MB RAM)
Flexible policy language
(Fixlets)
Lightweight, easily
configurable infrastructure
Single server
and console
Single intelligent
agent
• Thousands of out-of-the-box policies
• Best practices for operations
and security
• Simple custom policy authoring
• Highly extensible/applicable across all platforms
• Designate IBM BigFix agent as a relay or
discovery point in minutes
• Provides built-in redundancy
• Leverages existing systems/shared infrastructure