IBM Security – A Stitch In Time Saves Nine

IBM Security Highlights

  • An integrated definition, framework and set of capabilities
  • 15k professionals working on security
  • 3.7k Managed Security Service customers
  • x-Force researches security incidents and attacks, Qradar provides intelligence and analytics
  • Believes security prevention is about understanding the way ‘bad boy’ agents work, rather than providing just SIEM
  • Security gets more complicated with Big Data, virtualisation, Cloud Computing and BYOD
  • Has integrated security in IBM MobileFirst and Cast Iron

ibm security fig1
I’ve spent some time looking into IT security over the last couple of weeks – attending the big InfoSecurity show in Earls Court, as well as spending a day meeting IBM’s experts (both in London). This is a complicated market, with 500 suppliers, many different interpretations of the customer needs and a wide choice of solutions to the myriad of threats and vulnerabilities. You’ll want to consider the process, business and technical precautions your organisation can take to avoid disaster.

IBM’s Integrated Security Strategy, Framework And Resources

IBM’s Security business includes software, hardware and services. Our meeting was addressed by Marc van Zadelhoff (VP, Strategy and Product Management) and team of security experts[1], who ran through the strategy, new products and observations about the market and customer activities.
IBM Bought Q1 Labs in October 2011. We assume the price was part of the total $1,588 million spent on acquisitions in Q4 2011 spend – certainly one of IBM’s larger software purchases. It added the 300 staff (including around 25 in Northern Ireland) to others, such as Console from which Marc himself was from, to form IBM Security Systems. Services followed suit in May 2012, which was dropped into a single division under the leadership of Kris Lovejoy. Since then it has created an integrated strategy based on security analytics. We show its strategy with some of its recent product announcements in Figure 2.
ibm security fig2
The security framework addresses the needs of buyers – especially the emerging Chief Information Security Officer (CISO) role in large organisations. Threat Intelligence at the bottom is provided by x-Force from which it has a mass of information on current threats and attacks across the globe. Q1 Labs Qradar is a SIEM on top, providing real time intelligence and analytics to a number of internal software and external service offerings. It focuses on a number of megatrends (currently Advanced Threats, Cloud Computing, Mobile and Compliance). Its capabilities are in collecting information and protecting 4 main areas – people, data, applications and the IT infrastructure. Its resources include:

10 Security Operations Centers

  • 10 IBM Security Solution Centers
  • 14 IBM Security Solution Development Centers
  • 2 branches of its Institute for Advanced Security

Interestingly despite claiming to have more SOCs than any other vendor, it has nothing yet in the 3 biggest countries in Europe – Germany, France and the UK. In total it has 15k researchers, developers and subject matter experts working on Security initiatives. X-Force records around 15 billion security events every day, including 150 million attacks. Its Managed Security Services has around 3.7k customers in 133 countries and 20k devices under contract served by 3.3k GTS service delivery experts.
Offerings in which IBM integrates security includes IBM MobileFirst mobile device management and Cast Iron migration software.

The Big Risk Of Big Data

IBM’s Security business is not like an insurance policy protecting organisations from potential disasters: it is persuasive in demonstrating the area as a pragmatic process of research, discovery and activity to stave off attacks by criminals, which are increasing in severity and evolving in type. Figure 1 shows x-Force research for 2012 detailing the severity (size) and type (colour) of attacks. One size doesn’t fit all in security: there are major differences in industry sectors, with finance, pharmaceutical company and governments spending more. Marc points out that Security is ‘a 10k issue’, with successful attacks destroying a company’s business in the worst cases.
Threats are multiplying as the volume of information expands and traditional structured data is mixed with unstructured feeds from social media interaction (especially from employees engaged in BYOD interactions). Marc noted that the cybersecurity landscape is constantly changing, with organisations having to accommodate new technology such as embedded systems and globally interconnected networks with mobility, social business, Cloud, virtualisation, Big Data and consumer applications.
While IBM’s main approach is to provide precautions, its Cyber Security Intelligence and Response Team is called out when attacks are successful. Chris Poulin noted some cultural differences between customers in different countries. In particular:

  • In Arab countries customers want Europeans to sort out the problems
  • In Japan customers don’t like to self-report
  • In Iraq the challenge is to find sub-contractors able to work in a difficult environment of course

He noted that EU countries appear to be moving towards the disclosure of attacks and vulnerabilities which are already mandatory in the US and UK. His team deals with ‘after the event’ issues and he is surprised that some customers just want IBM to put things back the way they were, rather than implementing extra security immediately. It’s not the end of the world to be victim of cyber crime and reputations can be rescued – Chris believes Sony, for instance, has done a good job following the problems it had with the PlayStation Network in 2011.
ibm security fig3

Security Intelligence – Learn Something You Didn’t know About Your Network

Ray Menard provided some excellent insights into the differences between traditional product-base SIEM approaches and a well-executed security intelligence operation. The latter only tends to deal with issues after an event is identified by computer-based testing (see Figure 3). Like Jesse James, cyber criminals case the joint on the left side before mounting an attack.
Security Intelligence should monitor network behaviour and spot small anomalies as they develop. He firmly believes smart people (some of whom have been hackers themselves) can understand ‘bad boy’ agents in the wild and how they propagate attacks: Security Intelligences isn’t about a hardware pitch of how thousands of SIEM issues can be boiled down to the few you have to deal with – it’s about teaching something you didn’t know about your network or the wider world.
While Security Intelligence has always been a Big Data workload, Ray sees things becoming harder with the adoption of BYOD strategies, virtualisation and the Cloud.

Some Conclusions – Don’t Be Wise After The Event

I’m impressed with IBM’s approach, especially in its rigorous definitions, resources and capabilities. It counts itself as the 4th largest player among 500. But IT security itself isn’t necessarily about the supplier you choose to help.
You won’t read many customer success and transformation stories in the IT security area – in fact there are few countries outside the UK and US where companies even have to disclose their security breaches. Successful attacks can kill the career prospects of CIOs or even the organisation itself, so it’s important to take the subject seriously.
To secure your organisation you will need to think about your attitude to risk, create a team under a CISO perhaps, develop policies, train your users on confidentiality, the use of social media sites, invest in protection, counter measures and effective recovery from any successful attacks that get through. If this all sounds daunting don’t worry too much – everyone else is going through the same process. Up front investment will undoubtedly be cheaper in the long run than recovering from disaster – a stitch in time saves nine.

Acronym Buster

CBT – Computer Based Test
DDoS – Distributed Denial of Service attack
IAM – Identity Access Management
IPS – Intrusion Protection System
ISAM – IBM Indexed Sequential Access Method – a way of indexing data for fast retrieval, originally developed for mainframe computing
MQ – IBM Message Queuing Series
Physical Access – an attack involving the theft of physical equipment from an organisation or individual
SIEM – Security Information and Event Management
Spear Phishing – an attack on specific organisations and individuals with rogue email messages to acquire information such as usernames, passwords and credit card details
SOC – Security Operations Center – IBM has 10 across the globe
SQL Injection – an attack on data driven applications by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database http://en.wikipedia.org/wiki/SQL_injection
TEM – Trusted Enterprise Manager
Trojan Software – an attack involving a non self-replicating Malware programme appearing to perform a desirable function, but providing backdoor entry for unauthorised access to the target computer http://en.wikipedia.org/wiki/Trojan_horse_(computing)
XGS – IBM Security Network Protection product range
XSS – Cross-Site Scripting


[1] Including John Wheeler (Director of Managed Security Services), Caleb Barlow (Director, Application, Data and Mobile Security), Chris Poulin (IBM Institute for Advanced Security), and Phil Kibler (Director, Cyber Security Intelligence and Response Team)