Upload
buikiet
View
218
Download
3
Embed Size (px)
Citation preview
© 2013 IBM Corporation
IBM Security Systems
2
What is Security Intelligence?
Security Intelligence
--noun
1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive
insight for managing risks and threats from protection and
detection through remediation
Security Intelligence
© 2013 IBM Corporation
IBM Security
3
Security Intelligence & Business Intelligence offer insightful parallels
Managed Security Services
Mainframe and Server Security - RACF
SOA Security
Network Intrusion Prevention
Database Monitoring
Identity and Access Management
Application Security
Security as a Service
Compliance Management
Security Intelligence
IBM Security Intelligence
DASCOM
Enterprise Reporting
Performance Management Platform
Business Intelligence Suite
IOD Business Optimization
BI Convergence with Collaboration
Text & Social Media Analytics
Simplified Delivery (i.e., Cloud )
Predictive Analytics
Decision Management
BI Convergence with Security
IBM Business Intelligence
Mark
et
Ch
an
ges
Time
Security Intelligence
© 2013 IBM Corporation
IBM Security
4
Organizations are failing at early breach detection, with more than 85% of breaches undetected by the breached organization.*
(...)
It is the combination of real-time security monitoring, context (threat, vulnerability, user, asset, data and application) and "smart eyeballs" on dally activity reports that will improve your chances of early breach detection beyond the current 15% success rate.
Gartner “Using SIEM for Targeted Attack Detection” (March 2012)
* 2011 Data Breach Investigations Report — Verizon Business Systems.
Security Intelligence & the “Why More Context”
Security Intelligence
© 2013 IBM Corporation
IBM Security Systems
5
Solutions for the full Security Intelligence timeline
Prediction & Prevention Reaction & Remediation
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Leak Prevention.
Security Information and Event Management.
Log Management. Incident Response.
Risk Management. Vulnerability Management.
Configuration and Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management.
Reporting and Scorecards.
What are the external
and internal threats?
Are we configured
to protect against
these threats?
What is
happening right
now?
What was the
impact?
IBM Security Intelligence
© 2013 IBM Corporation
IBM Security Systems
6
Built upon common foundation of QRadar SIOS
Reporting Engine
Workflow Rules Engine Real-Time
Viewer
Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence Operating
System (SIOS)
Normalization
IBM QRadar Platform
QRadar Log Manager
QRadar SIEM QRadar Risk
Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
© 2013 IBM Corporation
IBM Security Systems
8
And continually adding context for increased accuracy
Security Intelligence Feeds
Internet Threats Geo Location Vulnerabilities
IBM QRadar Platform
© 2013 IBM Corporation
IBM Security Systems
9
Deployed upon scalable appliance architecture
Network and
Application
Visibility
• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
SIEM
Network
Activity &
Anomaly
Detection
• Network analytics
• Behavioral anomaly detection
• Fully integrated in SIEM
• Turn-key log management and reporting
• SME to Enterprise
• Upgradeable to enterprise SIEM
Log
Management
Scale
• Event Processors
• Network Activity Processors
• High Availability & Disaster Recovery
• Stackable Expansion
• Network security configuration monitoring
• Vulnerability scanning & prioritization
• Predictive threat modeling & simulation
Configuration
& Vulnerability
Management
IBM QRadar Platform
© 2013 IBM Corporation
IBM Security Systems
10
Using fully integrated architecture and interface
• Turn-key log management and reporting
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
• Network security configuration monitoring
• Vulnerability prioritization
• Predictive threat modeling & simulation
SIEM
Log
Management
Configuration
& Vulnerability
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
• Network analytics
• Behavioral anomaly detection
• Fully integrated in SIEM
• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments
One Console Security
Built on a Single Data Architecture
IBM QRadar Platform
© 2013 IBM Corporation
IBM Security Systems
11
Network traffic doesn’t lie. Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
• Deep packet inspection for Layer 7 flow data
• Pivoting, drill-down and data mining on flow sources for advanced detection and forensics
Helps detect anomalies that might otherwise get missed
Enables visibility into attacker communications
Differentiated by network flow analytics
IBM QRadar Platform
© 2013 IBM Corporation
IBM Security Systems
12
Continued journey towards Total Security Intelligence
IBM QRadar Security Intelligence
© 2013 IBM Corporation
IBM Security Systems
13
Reporting Engine
Workflow Rules Engine Real-Time
Viewer
Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence Operating
System (SIOS)
Normalization
QRadar Log Manager
QRadar SIEM QRadar Risk
Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
IBM QRadar SIEM
© 2013 IBM Corporation
IBM Security Systems
14
QRadar SIEM: Command console for Security Intelligence
Provides full visibility and
actionable insight to protect
against advanced threats
Adds network flow capture
and analysis for deep
application insight
Employs sophisticated
correlation of events, flows,
assets, topologies,
vulnerabilities and external
data to identify and prioritize
threats
Contains workflow management to fully track threats
and ensure resolution
Uses scalable hardware, software and virtual
appliance architecture to support the largest
deployments
IBM QRadar SIEM
© 2013 IBM Corporation
IBM Security Systems
15
Helps detect zero-day attacks that have no signature
Enables policy monitoring and rogue server identification
Provides visibility into all attacker communications
Uses passive monitoring to build asset profiles and classify hosts
Improves network visibility and helps resolve traffic problems
Flows provide context for true network intelligence
IBM QRadar SIEM
© 2013 IBM Corporation
IBM Security Systems
16
Reporting Engine
Workflow Rules Engine Real-Time
Viewer
Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence Operating
System (SIOS)
Normalization
QRadar Log Manager
QRadar Risk Manager
QRadar SIEM QRadar
QFlow and VFlow
QRadar Vulnerability
Manager
IBM QRadar Risk Manager
© 2013 IBM Corporation
IBM Security Systems
17
QRadar Risk Manager: Visualize network, configurations and risks
Depicts network topology views and helps visualize current and alternative network traffic patterns
Identifies active attack paths and assets at risk of exploit
Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting
Discovers firewall configuration errors and improves performance by eliminating ineffective rules
Analyzes policy compliance for network traffic, topology and vulnerability exposures
IBM QRadar Risk Manager
© 2013 IBM Corporation
IBM Security Systems
18
Investigating offense attack path
Clicking ‘attack path’ button for an offense performs search showing precise
path (and all permutations) between involved source and destination IPs
Firewall rules enabling the attack path can then be quickly analyzed to
understand the exposure
Allows “virtual patch” to be applied by quickly showing which firewall rules may
be changed to immediately shut down attack path—before patching or other
configuration changes can typically be implemented
IBM QRadar Risk Manager
© 2013 IBM Corporation
IBM Security Systems
19
Reporting Engine
Workflow Rules Engine Real-Time
Viewer
Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence Operating
System (SIOS)
Normalization
QRadar Log Manager
QRadar Risk Manager
QRadar SIEM QRadar
QFlow and VFlow
QRadar Vulnerability
Manager
IBM QRadar Vulnerability Manager
© 2013 IBM Corporation
IBM Security Systems
20
Strengthened by integrated vulnerability insights
QRadar Vulnerability
Manager
Questions remain: •Has that been patched?
•Has it been exploited?
•Is it likely to be exploited ?
•Does my firewall block it?
•Does my IPS block it?
•Does it matter?
Existing vulnerability
management tools
Improves visibility
– Intelligent, event-driven scanning, asset discovery, asset profiling and more
Reduces data load
– Bringing rich context to Vulnerability Management
Breaks down silos
– Leveraging all QRadar integrations and data
– Unified vulnerability view across all products
Answers delivered: •Real-time scanning
•Early warning capabilities
•Advanced pivoting and
filtering
Security
Intelligence
Integration
IBM QRadar Vulnerability Manager
© 2013 IBM Corporation
IBM Security Systems
21
QVM enables customers to interpret ‘sea’ of vulnerabilities
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
Inactive
Inactive: QFlow
Collector data helps
QRadar Vulnerability
Manager sense
application activity Blocked
Blocked: QRadar
Risk Manager helps
QVM understand
which vulnerabilities
are blocked by
firewalls and IPSs Patched
Patched: IBM
Endpoint Manager
helps QVM
understand which
vulnerabilities will be
patched
Critcal
Critical: Vulnerability
knowledge base,
remediation flow and
QRM policies inform
QVM about business
critical vulnerabilities
At Risk: X-Force Threat and SIEM
security incident data, coupled with
QFlow network traffic visibility, help
QVM see assets communicating with
potential threats
At Risk! Exploited!
Exploited: SIEM
correlation and IPS
data help QVM
reveal which
vulnerabilities have
been exploited
IBM QRadar Vulnerability Manager
© 2013 IBM Corporation
IBM Security Systems
22
IBM QRadar Security Intelligence
Reporting Engine
Workflow Rules Engine Real-Time
Viewer
Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence Operating
System (SIOS)
Normalization
QRadar Log Manager
QRadar SIEM QRadar Risk
Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
© 2013 IBM Corporation
IBM Security Systems
23
QRadar Security Intelligence easily grows with your needs
Inject IBM X-Force Threat Research Intelligence - Provides intelligence feed to QRadar
- Includes vulnerabilities, IP reputations, malware reports
Add QRadar Risk Manager
– Enables pre-exploit configuration investigations
– Simplifies security policy reviews for compliance tests
– Provides network topology depictions and permits
attack simulations
Implement QRadar Vulnerability Manager
– Extends pre-exploit analysis - adds integrated,
vulnerability insights
– Reduces magnitude of pre-exploit conditions as QRadar
SIEM does for post-exploit conditions
– Helps identify and measure exposures to external threats
Upgrade Log Manager to QRadar SIEM
– Additional security telemetry data
– Rules-based correlation analysis engine
– Data overload reduction ‘magic’ compressing millions or
even billions of daily raw events to manageable list of issues
IBM QRadar Security Intelligence
© 2013 IBM Corporation
IBM Security Systems
24
Some of QRadar’s unique advantages
Scalability for largest deployments, using an embedded database and unified data architecture
Impact: QRadar supports your business needs at any scale
Real-time correlation and anomaly detection based on broadest set of contextual data
Impact: More accurate threat detection, in real-time
Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more
Impact: Reduced manual effort, fast time to value, lower-cost operation
Integrated flow analytics with Layer 7 content (application) visibility
Impact: Superior situational awareness and threat identification
Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards
Impact: Maximum insight, business agility and lower cost of ownership
IBM QRadar Security Intelligence
© 2013 IBM Corporation
IBM Security Systems
26
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s
sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in
any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the
United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
THANK YOU