This post covers the IBM Red Paper:  Addressing Emerging Threats and Targeted Attacks with IBM Security Network Protection (redp4826).

The book is about addressing new kinds of network threats such as advanced persistent threats (APTs), stealth bots, targeted application attacks, and designer malware.  For an up-to-date understanding of the threat landscape the reader is referred to the IBM X-Force Trend and Risk Report.   These new threats are being addressed by incorporating best-of-breed intrusion prevention, application visibility and control, IP reputation, and SSL inspection into one solution, and integrating this solution with security intelligence.

The protocol-aware Protocol Analysis Module (PAM) engine provides in-depth security and protection by analyzing every packet that traverses the IBM Security Network Protection solution.  The engine can process low-level protocols, such as the Internet Protocol (IP), to detect and block attacks at this level (such as denial of service attacks). PAM can perform a deep analysis of data that is transferred by high-level protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Remote Procedure Calls (RPCs).

The following core components are features of the PAM:

• IBM Virtual Patch® technology: Shields vulnerabilities from exploitation, independent of a software patch.
• Client-side application protection: Protects users against attacks that target applications that are used everyday, such as attacks that are embedded in Microsoft Office files, Adobe PDF files, and multimedia files.
• Web application protection: Provides protection against sophisticated web application attacks, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• Advanced threat detection and prevention: Provides advanced intrusion prevention,including protection against potential zero-day attacks.
• Data security: Provides monitoring and identification of personally identifiable information (PII) and other confidential data over both unencrypted traffic and SSL encrypted traffic if SSL inspection is enabled.

 

This post covers the IBM Redbook: Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security published in April 2013.

This book provides an introduction to the IBM security framework and blueprint.  I do not cover this here because I previously covered it in my post Managing Security and Compliance in Cloud or Virtualized Data Centers.

Business Context

From the red book: “Business and IT drivers influence security.  Business drivers measure value, risk, and economic costs that influence an organization’s approach to IT security. Value drivers determine the worth of assets of the system to the business and of the business itself. Risk drivers involve compliance, corporate structure, corporate image, and the risk tolerance of the company. Economic drivers determine productivity impact, competitive advantage, and system cost.

IT drivers represent operational constraints in the general IT environment. For example, the complexity of a system, including its environment, that is exposed to internal and external threats presents risks that the organization must address. The IT drivers represent technical considerations that can affect the trustworthiness of the IT environment and the managed business systems as a whole. IT drivers are universal and must be considered within the context of the business drivers in all efforts. The combination of business and IT drivers represents the key initiatives for security management.”

The following business drivers are covered:

• Correct and reliable operation
• Service level agreements
• IT asset value
• Protection of the business asset value or brand image
• Legal or regulatory compliance
• Contractual obligation
• Financial loss and liability
• Critical infrastructure
• Safety and survival.

The following IT drivers are covered:

• Internal threats
• External threats
• IT service management commitments
• IT environment complexity
• Business environment complexity
• Audit and traceability
• IT vulnerabilities.

IBM Security Framework

The IBM security framework covers the breadth of security.  I show applications and infrastructure here.

For infrastructure, and important point is the decision to use virtualization.  “Organizations are increasingly using virtualization technology to support their goals of delivering services in less time, with greater agility, and at lower cost. By building a structure of security controls within this environment, organizations can reap the goals of virtualization, such as improved physical resource utilization, improved hardware efficiency, and reduction of power costs, while they ensure that the virtual systems are secured with the same rigor as the physical systems.”

 Security Maturity Model

 Security Blueprint

The Security Blueprint has the following foundational components:

• Command and Control Management
• Security Policy Management
• Risk and Compliance Assessment
• Identity, Access, and Entitlement Management
• Data and Information Protection Management
• Software, System, and Service Assurance
• Threat and Vulnerability Management
• IT Service Management
• Physical Asset Management.

 Architecture Principles

The following architecture principles are covered:

• Openness
• Security by default
• Design for accountability
• Design for regulations
• Design for privacy
• Design for extensibility
• Design for sharing
• Design for consumability
• Multiple levels of protection
• Separation of security management, enforcement, and accountability
• Security-critical resources and awareness of their security context
• Model-drive security
• Consistency in approaches, mechanisms, and software components.

Foundational Security Management

 Security Frameworks and Standards

Frameworks include:

• Industry information security and privacy standards profile model
• TOGAF
• IBM Unified Method Framework
• Sherwood Applied Business Security Architecture (also see the Zachman framework)
• Control Objectives for Information and Related Technology
• ISO/IEC 27002:2005
• Payment Card Industry Data Security Standard
• Sarbanes-Oxley Act
• Health Insurance Portability and Accountability Act.

Standards in the Industry information security and privacy standards profile model:

SABSA

SABSA looks at the following business requirements:

• Low-cost development
• Fast time to market
• Scalability of cost
• Scalability of platforms
• Scalability of security level
• Scalability of use
• Reusability
• Operations costs
• Administration costs
• Usability
• Interoperability
• Integration
• Supportability
• Risk-based cost and benefit effectiveness
• Enabling business.

 ISO/IEC 27002:20xx

ISO/IEC 27002:2005 contains 12 categories, or domains, that must be
considered when you apply an overall enterprise security approach. The
categories are:

•  Risk assessment
•  Security policy
•  Organization of information security
•  Asset management
•  Human resources security
•  Physical and environmental security
•  Communications and operations management
•  Access control
•  Information systems acquisition, development, and maintenance
•  Information security incident management
•  Business continuity management
•  Compliance.

 O-ESA

The red book describes how to use the Open Enterprise Security Architecture (O-ESA) from the Open Group to build an over-arching Enterprise Security Architecture (ESA).

Policy Enforcement Points (PEPs) are included in the conceptual architecture:

Example security domains are suggested:

•  Uncontrolled
•  Controlled (DMZ)
•  Restricted
•  Secured
•  External Controlled (3rd party).

A process is provided to develop the technology architecture:

Setting up security zones is summarized and the reader is referred to another red book for details: Enterprise Security Architecture Using IBM Tivoli Security Solutions, SG24-6014.  However, this document was written back in 2007.  I would take a look at Addressing Emerging Threats and Targeted Attacks
with IBM Security Network Protection (redp4826) first.

An example is provided for healthcare mobile security where an example set of security policies are provided:

Example allocation of security services to zones is provided:

The red book introduces SIEM technology:

“Centralized log collection, analysis, and reporting on compliance for the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), and ISO/IEC 27002:2005 is enforced by using Security Information and Event Management (SIEM) technology. This technology integrates the Web Security Server infrastructure. It also offers operating system-level monitoring that can collect logs from critical UNIX, Linux, and Windows servers. The SIEM solution is also able to monitor the network traffic flows between the components for abnormalities (unusual behavior) and identify data structures that are moving across the wire.”

An operation model is provided for the example:

An SIEM operational view is provided:

In this post I cover the IBM Red Book SG248082:  Managing Security and Compliance in Cloud or Virtualized Data Centers.

The IBM Security Framework provides a top-level view on security:

At the second level of detail IBM provides Security Blueprint.

The Security Blueprint categorizes and defines security capabilities and services that are required to answer the business concerns in the IBM Security Framework such as infrastructure.

The Security Blueprint emphasizes control (knowing where you are in and out of compliance, why, and having action plans) in addition to compliance.  There is also a focus on visibility into and managing the security of virtual machines.

I cover the IBM Security Blueprint in more detail in my post Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security.

The functions of the PowerSC products are described and these provide a good example.  Regulatory compliance to industry standards such as Payment Card Industry Data Security Standard v1.2 (PCI-DSS) and Control Objectives for Information and related Technology (COBIT), typically adopted subject to the US Sarbanes-Oxley Act, can be automated.  Automated compliance helps address the huge effort of staying in compliance with multiple regulations.  Trusted Boot is a virtual implementation of the Trusted Platform Module (TPM) from the Trusted Computing Group.  Trusted Firewall filters traffic between VLANs.  Trusted Logs prevents modification of log files.  Trusted Surveyor provides consolidated security reporting.

For banks wanting to increase IT agility and decrease IT costs via a cloud-enabled data center, this IBM Redguide is a must read.

The words “increase agility and decrease costs” are used a lot and my brain tends to filter out words that it hears a lot.  However, every major delay to a critical project that I have witnessed in the past few years has been due to delays in specifying or provisioning development or test environments.

The book builds on the IBM Cloud Computing Reference Architecture (CCRA) to address the Cloud Enabled Data Center adoption pattern.  This pattern is key to banks who want to build a private cloud to “combine the major advantages of the public cloud, such as strong standardization, self-service automation, scalability, and metering, with the advantages of on-premise data centers.  On-premise data centers provide advantages such as strong security, increased customization capabilities, and increased control over QoS.”

As banks build out a private cloud, IaaS is the logical place to start.  The book provides a maturity model for IaaS.

The book provides macro patterns aligned to the maturity levels that prescribe architectures for each level.

Macro patterns are broken down into micro patterns and use cases.  Micro patterns are essentially functional clusters of use cases.

The macro pattern view shows provides a simplified view of the IaaS macro patterns.

They provide a macro patterns view overlaid with a logical software architecture.

The product mappings in the book will need some critical thinking on the bank’s part as they are a bit dated.

IBM is generally proposing PaaS with its Private Modular Cloud (PMC) solution.  After seeing the degree to which banks struggle to provide test environments for projects and the kinds of problems that bog them down, I do believe that PaaS is where the banks that I am working with need to go.