View
24
Download
0
Category
Preview:
Citation preview
2© 2016 IBM Corporation
Disclaimer
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3© 2016 IBM Corporation
One Day PoTBy attending the IBM QRADAR PoT you'll get an QRADAR overview including: - an overview of the IBM Security Framework- a presentation of the QRADAR platform including Log Management, SIEM, Vulnerability Management and Risk Management a demo- the possibility to experiment yourself with the IBM QRADAR platform via guided small exercises
One Day WorkshopWith this one day workshop, you will:- Discover how QRadar provides full visibility and actionable insight to protect networks and IT assets from a
wide range of advanced threats, while meeting critical compliance mandates - Get hands on experience of QRadar Log, SIEM.
3 Days WorkshopThe “3-Day QRadar BP Technical Enablement” course provides an introduction to the IBM Security Intelligence Platform (QRadar SIEM, QRadar Risk Manager, QRadar Vulnerability Manager, QRadar Incident Forensics, etc.). Students will learn the solution’s architecture, understand the required elements to design a QRadar solution as well as learn the basic steps needed to start a QRadar (PoC) deployment. This class includes some lab exercises aimed at gaining a better insight of QRadar’s working and deployment steps.
QRadar BP Technical Enablement
5© 2016 IBM Corporation
2013800+ Million
records breached
20141+ Billion
records breached
2015Unprecedented
high-value targets breached
Attackers break through conventional safeguards every day
$6.5Maverage cost of a U.S. data breachaverage time to detect APTs
256 daysV2016-2-11
6© 2016 IBM Corporation
Detect attacks disguised as normal activity
Retailer POS systems
Retailer Windows file server
INTERNAL NETWORK
Attacker phishes a third-party contractor1
Attacker FTP servers (external)
Contractor portals
Attacker uses stolen credentials to access contractor portals
2Attacker finds and infects internal Windows file server
3a Attacker finds and infects POS systems with malware3b
Malware scrapes RAM for clear text CC stripe data
4
Stolen data is exfiltrated to FTP servers
5
§ Advanced
§ Specific
§ Stealthy
§ Exploits human vulnerabilities
§ Targets business process weaknesses
7© 2016 IBM Corporation
Sense AnalyticsäThreat Detection
One Platform, Unified Visibility
The Power to Act–at Scale
§ Behavioral
§ Contextual
§ Temporal
§ Extensible
§ Scalable
§ Easily deployed
§ Prioritization
§ Collaboration of threat data
§ Automated response
IBM Security QRadar – Success Factors
9© 2016 IBM Corporation
Understand the content of the message§ Information related to the security « services »:
– Antimalware Software – Intrusion Detection and Intrusion Prevention Systems – Remote Access Software – Web Proxies – Vulnerability Management Software – Authentication Servers – Routers – Firewalls – Network Quarantine Servers – …
§ Information related to the applications:– Client requests and server responses – Account information – Usage information – Significant operational actions
§ Information related to the operating system: – System Events – Audit Records
10© 2016 IBM Corporation
Functional Architecture
Collect CategorizationParsing
NormalizationRule /
Correlation Storage Replay
MonitoringSI Events collection
Messages are stored without modification to keep their legal status. They are standardized in a more readable format.
The correlation can identify an event that caused the generation of several others. It allows the set up of an alert
Forensic
Storage with probative value is used to ensure the integrity of evidence..
Source
Define the category of the event
This interface into the application will allow your incident handlers orsystem engineers a unique view into your environment.
11© 2016 IBM Corporation
Architecture Approach
In this case, an inherently more scalable log management tool is deployed in front of SIEM to serve as a shield and filter to protect a less scalable SIEM tool from extreme log flows
Another scenario emerges when log management is deployed first to create an enterprise logging platform. SIEM is then added as one of the applications of such a platform. This scenario can be called “grow up to SIEM” and accounts for up to 50 percent of SIEM deployments today.
In the next case, SIEM and log management are deployed alongside each other and at the same time. This is an “emerging scenario” since more people now get both at the same time and typically from the same vendor.
Next is a SIEM deployment with log management as an archive for processed and other logs. This scenario arises when somebody buys a big SIEM for security monitoring and then, over time, realizes that something is missing. As a result, a log management tool is deployed to “dump” all logs into and to perform analysis of the raw logs that the SIEM “rejects” (i.e., doesn’t knowhow to parse, normalize, categorize, etc.).
15© 2016 IBM Corporation
Sense AnalyticsäThreat Detection
One Platform, Unified Visibility
The Power to Act–at Scale
§ Behavioral
§ Contextual
§ Temporal
§ Extensible
§ Scalable
§ Easily deployed
§ Prioritization
§ Collaboration of threat data
§ Automated response
IBM Security QRadar – Success Factors
16© 2016 IBM Corporation
Advanced analytics assisting in threat identification
QRadar is the only Security Intelligence Platform powered by the advanced Sense Analytics engine to:§ Detect abnormal behaviors across users, networks,
applications and data§ Discover current and historical connections, bringing hidden
indicators of attack to the surface§ Find and prioritize weaknesses before they’re exploited
QRadar Sense Analytics™
17© 2016 IBM Corporation
QRadar Sense Platform
Advanced Threat
Detection
Insider Threat
Detection
Risk & VulnerabilityManagement
Incident Forensics
Incident Response
Compliance Reporting
Securing CloudUSE
CASES
ACTION
ENGINE
COLLECTION
DEPLOYMENT MODELS
Behavior-Based Analytics
PRIORITIZED INCIDENTS
Context-Based Analytics
Time-Based Analytics
QRadar Sense AnalyticsTM
Third-Party Usage
Automation WorkflowsDashboards Visualizations
ON PREM AS A SERVICE CLOUD HYBRID
Business SystemsCloud Infrastructure Threat Intel Applications
Capabilityand Threat Intelligence
Collaboration Platforms
App Exchange
X-Force Exchange
18© 2016 IBM Corporation
Prioritized incidents
Consume massive amount of structured and unstructured data
Incident identification• Extensive data collection, storage, and analysis
• Real-time correlation and threat intelligence• Automatic asset, service and user discovery and profiling• Activity baselining and anomaly detection
EmbeddedIntelligence
QRadarSense AnalyticsTM
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
EXTENSIVE DATA SOURCES
19© 2016 IBM Corporation
Advanced threat detectionSCENARIO1. Host visits malicious domain,
but firing an alert might be premature2. New beaconing behavior3. Data transfers inconsistent with behavioral baselines appear
SCENARIO§ Sudden change in network traffic§ The appearance of a new application on host or termination of a typical service are captured
as anomalies
Pattern identification
Anomaly detection
User and entity profiling
QRadar combines all three conditions to produce a single, heightened alert
QRadar senses and discovers by monitoring and profiling assets and individuals
20© 2016 IBM Corporation
Insider threat monitoring
SCENARIO§ Service rep downloads twice the normal
amount of client data– Might be part of new sales analysis activity
§ QRadar knows that service rep was recently laid off and sees data being sent to an external site
Business context
Historical analytics
Risk-based analytics
QRadar profiles assets and individuals to help security teams better interpret network context and reduce false-positive results, while fine-tuning the detection of attacks and breaches
21© 2016 IBM Corporation
Forensics investigation
SCENARIO§ SOC analyst investigating offense discovers
employees exposed to phishing scam§ Attacker has latched-on and expanded
to an internal server using pattern identified by X-Force known to inject remote-access Trojan (RAT) software
Real-time analytics
External threat correlation
Statistical analysis
QRadar recovers all associated network packets with a few mouse clicks• Pinpoints where and when RAT software installed• Rich profile of malicious software including link analysis identifies “patient zero” and other
infected parties• Incident response and remediation is completed with no recurrences
22© 2016 IBM Corporation
Complete clarity and context
QRadar easily deploys lightening fast to help users consolidate insights in a single platform:§ Delivers scale collecting billions of events on-premises
or in the cloud§ Unifies real-time monitoring, vulnerability and risk
management, forensics, and incident response§ Deep and automated integration from hundreds
of third-party sources
One platform with global visibility
24© 2016 IBM Corporation
Leverage multiple threat intelligence sources
§ Pull in Threat Intelligence through open STIX/TAXII format§ Load threat indicators in collections into QRadar Reference sets§ Use reference sets for correlation, searching, reporting
§ Create custom rule response to post IOCs to CollectionUSE CASEBring watchlists of IP addresses from X-Force Exchange create a rule to raise the magnitude of any offense that includes the IP watchlist
IBM Security Threat Intelligence
25© 2016 IBM Corporation
Add collaborative defenses – App Exchange
A New Platform for Security Intelligence Collaboration
Single collaboration platform for rapidly delivering new apps and content for IBM Security solutions
Enable rapid innovation
Single platform for collaboration
Access partner innovations
Validatedsecurity apps
Allows QRadar users and partners to deploy new use cases in an accelerated way
Quickly extend QRadar functionality
26© 2016 IBM Corporation
Actionable security intelligence
QRadar enables security experts within and across organizations to collaboratively take action:
§ Intelligent incident prioritization§ Collaboration of threat data and security capabilities
from X-Force Exchange and App Exchange§ Resilient incident response with workflow, play groups,
collaboration, regulatory requirements, integrations, streamlining and automating incident response remediating threats quickly and with ease
The power to act–at scale
27© 2016 IBM Corporation
Establish security as a system
§ Key integrated capabilities
Threat Research
Endpoint
AdvancedFraud
Data
MobileNetwork
Applications
Identityand Access
Endpoint patchingand management
Malware protection
Fraud protection
Criminal detection
Data access control
Data monitoring
Device management
Content security
Network visibility
Application security management
Access management
Identity management
Entitlements and roles
Application scanning
Virtual patching
Transaction protection
Log, flow and big data analysis
Anomaly detection
Vulnerability assessment
Incident and threat management
Ecosystem Partners
Sandboxing
Firewalls
Anti-virus
ConsultingServices Managed
Services
Security Intelligence
28© 2016 IBM Corporation
IBM QRadar is the centerpiece of IBM Security integrations
IBM X-Force Research
Trusteer Apex
Endpoint
zSecure
BigFix
AdvancedFraud
Trusteer Pinpoint
Trusteer Rapport
Data
Key Lifecycle ManagerGuardium Suite
MobileMobileFirst Protect(MaaS360)
MobileFirst Platform(Worklight)
NetworkNetwork Protection XGS
SiteProtector
Applications
Identityand Access
QRadarIncident Forensics
QRadar RiskManager
Ecosystem Partners
Trusteer Mobile
Network Protection GX
QRadar SIEM
QRadar Log Manager
QRadar Vulnerability Manager
Big Data
i2 Analytics
Privileged Identity Manager
Access Manager
Identity Manager
Federated Identity Manager
AppScanSuite
DataPowerWeb Security Gateway
ConsultingServices Managed
Services
Security Intelligence
29© 2016 IBM Corporation
Identityand Access
ISAM ISIM
PIM
Key integrations for Security Intelligence
EndpointTrusteer Apex
BigFix
IBM X-Force
Security Intelligence
Mobile
MaaS360
Applications
AppScan
Data
Guardium
NetworkNetwork
XGS
QRadar
Provide increased visibility into networkNetwork security flows
Correlate status andseverity monitoring
Vulnerability and patch data
Gain input on malware attacks
Endpoint malware events
Provide identity context aware security intelligence
Identity attributes, logs and flows
Provide in-depth data activity monitoring and
vulnerability assessmentSecurity events and vulnerabilities
Place activity in external context and determine offense severity
Global real-time threat and vulnerability data
Understand mobilesecurity landscapeCompliance alerts
Security events and vulnerabilities
Understand application security landscape and improve
threat detection accuracy
1 2
34
56
7 8
31© 2016 IBM Corporation
Event CollectorFlow Collector / Qflow
Flow
Event
Accum
Event Processor
Identity Asset Offense Config
Console/UIMagistrateReporting
Flow
Event
Accum
Data Node
Qflow• receives flows
Event Collector• receives log events• normalizes events• categorizes events
Event Processor• tests events and flows
against rules• Ariel datastore for events
and flows
Data Node• expands EP Ariel datastore
Console/Magistrate• user interface• offense processing• reporting• asset, offense, and
configuration database
Flow Sources:Interface,
Netflow, Sflow, Jflow, etc.
Log Sources:Syslog, log files,
traps, etc.
QRadar high-level architecture
36© 2016 IBM Corporation
Solution components
Network and Application
Visibility
• Layer 7 (application layer) monitoring• Content capture for deep insight & forensics• Physical and virtual environments
• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense ID/management and workflow
SIEM
• Turn-key log management and reporting• Small to large/distributed Enterprise• Upgradeable to enterprise SIEM
Log Management
Scalability• Event Processors for remote site• High Availability & Disaster Recovery• Data Node to increase storage & performance
• Network security configuration monitoring• Vulnerability scanning & prioritization• Predictive threat modeling & simulation
Risk & Vulnerability Management
Network Forensics
• Reconstructs network sessions from PCAPs• Data pivoting and visualization tools• Accelerated clarity around who, what, when
Incident Forensics
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
Recommended