Your SlideShare is downloading. ×
DSS   ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011

1,506
views

Published on

Presentation from "DSS" organized ITSEC conference on 24th of November, RIga, Latvia. …

Presentation from "DSS" organized ITSEC conference on 24th of November, RIga, Latvia.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,506
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
84
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Ray Menard2011-11-24Network Security Monitoring IBM Confidential © 2011 IBM Corporation
  • 2. Network Security Monitoring QRadar SIEM Problem Simply Stated "Electronic intelligence, valuable though it is in its own way, serves to augment the daunting volume of information which is directed at headquarters from satellite and aerial reconnaissance, intelligence-gathering ships, optical observation, special forces, armoured reconnaissance teams, and the interrogation of prisoners. Nowadays the commander is confronted with too much information, rather than too little, and it is his informed judgment which ultimately decides what is relevant and important." [NATO, The Warsaw Pact and the Superpowers, 2° ed. p. 33 Hugh Farringdon2 IBM Confidential © 2011 IBM Corporation
  • 3. Network Security Monitoring QRadar SIEM Problem Simply Stated “Network and security information, valuable though it is in its own way, serves to augment the daunting volume of information which is directed at network and security practitioners from firewalls and IDS/IPS, sever logs, application logs, syslog servers, proxy servers and virus scanners. Nowadays the security practitioner is confronted with too much information, rather than too little, and it is his informed judgment which ultimately decides what is relevant and important." Ray Menard plagiarized from Hugh Farringdon3 IBM Confidential © 2011 IBM Corporation
  • 4. Network Security Monitoring QRadar SIEM Focus on Prevention Network and security professionals focus tends to be on preventing bad things from happening on the network. There is a significant amount of spending on tools designed to prevent bad things from getting in the network When things go bad, it is because the network and security practitioner doesn’t know what they don’t know.4 IBM Confidential © 2011 IBM Corporation
  • 5. Network Security Monitoring Q1 Labs Delivers Solutions Across the Entire Compliance and Security Intelligence Lifecycle Prediction/ Reaction/ Prevention Phase Exploit Remediation Phase Remediation Pre-Exploit Post-Exploit Risk Management , Compliance Management, SIEM, Network/User Anomaly Detection, Vulnerability Management, Configuration Log Management Management5 IBM Confidential © 2011 IBM Corporation
  • 6. Network Security Monitoring QRadar SIEM Network and security professionals need •Ability to quickly and efficiently analyze large volumes of information, sorting the wheat from the chaff •Complete Network and Security Intelligence •Flexibility to meet the ever changing more sophisticated threat •Ability to do more with less as new requirements are identified •Visibility and verification •Time is an enemy!6 IBM Confidential © 2011 IBM Corporation
  • 7. Network Security MonitoringQRadar SIEMOverview QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets from a wide range of advanced threats, while meeting critical compliance mandates. Key Capabilities: • Sophisticated correlation of events, flows, assets, topologies, vulnerabilities, device configurations and external data to identify & prioritize threats • Network flow capture and analysis for deep application insight • Workflow management to fully track threats and ensure resolution • Scalable architecture to support the largest deployments IBM Confidential © 2011 IBM Corporation
  • 8. Network Security Monitoring “This principle doesn’t mean you should abandon your prevention efforts. As a necessary ingredient of the security process, it is always preferable to prevent intrusions than to recover from them. Unfortunately, no security professional maintains a 1.000 batting average against intruders. Prevention is a necessary but not sufficient component of security.” (Bejtlich, 2004)8 IBM Confidential © 2011 IBM Corporation
  • 9. Network Security MonitoringQRadar SIEMKey Advantages• Real-time activity correlation based on advanced in- memory technology and widest set of contextual data• Flow capture and analysis that delivers Layer 7 content visibility and supports deep forensic examination• Intelligent incident analysis that reduces false positives and manual effort• Unique combination of fast free-text search and analysis of normalized data• Scalability for world’s largest deployments, using an embedded database and unified data architecture IBM Confidential © 2011 IBM Corporation
  • 10. Network Security Monitoring QRadar SIEM Product Tour: Integrated Console• Single browser-based UI• Role-based access to information & functions• Customizable dashboards (work spaces) per user• Real-time & historical visibility and reporting• Advanced data mining and drill down• Easy to use rules engine with out-of-the-box security intelligence IBM Confidential © 2011 IBM Corporation
  • 11. Network Security MonitoringQRadar SIEMProduct Tour: Data Reduction & Prioritization Previous 24hr period of network and security activity (2.7M logs) QRadar correlation & analysis of data creates offenses (129) Offenses are a complete history of a threat or violation with full context about accompanying network, asset and user identity information Offenses are further prioritized by business impact IBM Confidential © 2011 IBM Corporation
  • 12. Network Security MonitoringQRadar SIEMProduct Tour: Intelligent Offense ScoringQRadar judges “magnitude” of offenses:• Credibility: A false positive or true positive?• Severity: Alarm level contrasted with target vulnerability• Relevance: Priority according to asset or network valuePriorities can change overtime based on situationalawareness IBM Confidential © 2011 IBM Corporation
  • 13. Network Security MonitoringQRadar SIEMProduct Tour: Offense ManagementClear, concise and comprehensive delivery of relevant information: What was the attack? Was it Who was successful? responsible? Where do I find them? How valuable How many are the targets to targets the business? involved? Are any of them vulnerable? Where is all the evidence? IBM Confidential © 2011 IBM Corporation
  • 14. Network Security Monitoring QRadar SIEM Product Tour: Free text Search14 IBM Confidential © 2011 IBM Corporation
  • 15. Network Security Monitoring QRadar SIEM Product Tour: Out-of-the-Box Rules & Searches Default log queries/views1000’s of real-time correlationrules and analysis tests100’s of out-of-the-box searchesand views of network activity andlog data Provides quick access to critical informationCustom log fields Provides flexibility to extract log data for searching, reporting and dashboards. Product ships with dozens of pre-defined fields for common devices. IBM Confidential © 2011 IBM Corporation
  • 16. Network Security Monitoring "To lack intelligence is to be in the ring blindfolded." Former Commandant of the Marine Corps, General David M. Shoup16 IBM Confidential © 2011 IBM Corporation
  • 17. Network Security MonitoringQRadar SIEMProduct Tour: Flows for Network Intelligence• Detection of day-zero attacks that have no signature• Policy monitoring and rogue server detection• Visibility into all attacker communication• Passive flow monitoring builds asset profiles & auto-classifies hosts• Network visibility and problem solving (not just security related) IBM Confidential © 2011 IBM Corporation
  • 18. Network Security MonitoringQRadar SIEMProduct Tour: Flows for Application Visibility• Flow collection from native infrastructure• Layer 7 data collection and analysis• Full pivoting, drill down and data mining on flow sources for advanced detection and forensic examination• Visibility and alerting according to rule/policy, threshold, behavior or anomaly conditions across network and log activity IBM Confidential © 2011 IBM Corporation
  • 19. Network Security MonitoringQRadar SIEMProduct Tour: Compliance Rules and Reports • Out-of-the-box templates for specific regulations and best practices: • COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx • Easily modified to include new definitions • Extensible to include new regulations and best practices • Can leverage existing correlation rules IBM Confidential © 2011 IBM Corporation
  • 20. Network Security MonitoringQRadar SIEMUse Cases QRadar SIEM excels at the most challenging use cases: Complex threat detection Malicious activity identification User activity monitoring Compliance monitoring Fraud detection and data loss prevention Network and asset discovery IBM Confidential © 2011 IBM Corporation
  • 21. Network Security Monitoring Use Case: Out of the Box21 IBM Confidential © 2011 IBM Corporation
  • 22. Network Security MonitoringQRadar SIEMUse Case: Complex Threat DetectionProblem Statement Required Visibility• Finding the single needle in • Normalized event data the ‘needle stack’ • Asset knowledge• Connecting patterns across many data silos and huge • Vulnerability context volumes of information • Network telemetry• Prioritizing attack severity against target value and relevance• Understanding the impact of the threat IBM Confidential © 2011 IBM Corporation
  • 23. Network Security Monitoring QRadar SIEM Restating the Problem “One of the reasons why the state of information security is so bad is that it is built on a foundation of islands of point tools for protection against tactical threats. Managing these systems is an operational nightmare. Whats more, most of these tools arent integrated together, so getting a true picture of the security posture of the whole business is next to impossible, which may actually lead to additional security risks.” Jon Oltsik ESG23 IBM Confidential © 2011 IBM Corporation
  • 24. Network Security MonitoringQRadar SIEMUse Case: Complex Threat Detection Sounds Nasty… But how do we know this? The evidence is a single click away.Network Scan Buffer OverflowDetected by QFlow Exploit attempt seen by Snort Total Security IntelligenceTargeted Host Vulnerable Convergence of Network, Event and Vulnerability dataDetected by Nessus IBM Confidential © 2011 IBM Corporation
  • 25. Network Security MonitoringQRadar SIEMUse Case: Malicious Activity IdentificationProblem Statement Required Visibility• Distributed infrastructure • Distributed detection sensors• Security blind spots in the • Pervasive visibility across network enterprise• Malicious activity that • Application layer knowledge promiscuously seeks ‘targets • Content capture for impact of opportunity’ analysis• Application layer threats and vulnerabilities• Siloed security telemetry• Incomplete forensics IBM Confidential © 2011 IBM Corporation
  • 26. Network Security MonitoringQRadar SIEMUse Case: Malicious Activity Identification Potential Botnet Detected? This is as far as traditional SIEM can go. IRC on port 80? QFlow enables detection of a covert channel. Irrefutable Botnet Communication Layer 7 data contains botnet command and control instructions. IBM Confidential © 2011 IBM Corporation
  • 27. Network Security MonitoringQRadar SIEMUse Case: User Activity MonitoringProblem Statement Required Visibility• Monitoring of privileged and • Centralized logging and non-privileged users intelligent normalization• Isolating ‘Stupid user tricks’ • Correlation of IAM information from malicious account activity with machine and IP• Associating users with addresses machines and IP addresses • Automated rules and alerts focused on user activity• Normalizing account and user monitoring information across diverse platforms IBM Confidential © 2011 IBM Corporation
  • 28. Network Security MonitoringQRadar SIEMUse Case: User Activity Monitoring Authentication Failures Perhaps a user who forgot his/her password? Brute Force Password Attack Numerous failed login attempts against different user accounts Host Compromised All this followed by a successful login. Automatically detected, no custom tuning required. IBM Confidential © 2011 IBM Corporation
  • 29. Network Security MonitoringQRadar SIEMUse Case: Fraud & Data Loss PreventionProblem Statement Required Visibility• Validating your monitoring • Application layer visibility efforts against compliance • Visibility into network requirements segments where logging is• Ensuring that compliance problematic goals align with security goals• Logs alone don’t meet compliance standards IBM Confidential © 2011 IBM Corporation
  • 30. Network Security MonitoringQRadar SIEMUse Case: Fraud & Data Loss PreventionPotential Data Loss?Who? What? Where? Who? An internal user What? Oracle data Where? Gmail IBM Confidential © 2011 IBM Corporation
  • 31. Network Security MonitoringQRadar SIEMUse Case: Network and Asset DiscoveryProblem Statement Required Capability• Integration of asset information • Real-time knowledge of all into security monitoring assets on a network products is labor intensive • Visibility into asset• Assets you don’t know about communication patterns pose the greatest risk • Classification of asset types• Asset discovery and classification is a key tenet of • Tight integration into pre- many compliance regulations defined rules• False positive noise jeopardizes effectiveness of a SIEM solution IBM Confidential © 2011 IBM Corporation
  • 32. Network Security MonitoringQRadar SIEMUse Case: Network and Asset Discovery Automatic Asset Discovery Creates host profiles as network activity is seen to/from Passive Asset Profiling Identifies services and ports on hosts by watching network activity Server Discovery Identifies & classifies server infrastructure based on these asset profiles Correlation on new assets & services Rules can fire when new assets and services come online Enabled by QRadar QFlow and QRadar VFlow IBM Confidential © 2011 IBM Corporation
  • 33. Network Security MonitoringQRadar SIEMIntelligent, Integrated and Automated • Intelligent offense management • Layer 7 application visibility • Identifies most critical anomalies• Distributed architecture • Easy deployment• Highly scalable • Rapid time to value• Analyze logs, flows, • Operational efficiency assets and more IBM Confidential © 2011 IBM Corporation
  • 34. Network Security MonitoringQRadar SIEMArchitecture Console• Major components can be distributed to separated appliances• All centrally managed from the Console • Event and Flow collection Processor(s) • Rule Correlation • Data Storage • Data Retrieval Collector(s) IBM Confidential © 2011 IBM Corporation
  • 35. Network Security Monitoring QRadar SIEM Architecture: All-In-One35 IBM Confidential © 2011 IBM Corporation
  • 36. Network Security Monitoring QRadar SIEM Architecture: Distributed36 IBM Confidential © 2011 IBM Corporation
  • 37. Network Security Monitoring QRadar SIEM Architecture: Global37 IBM Confidential © 2011 IBM Corporation
  • 38. Network Security Monitoring38 IBM Confidential © 2011 IBM Corporation
  • 39. Network Security MonitoringQRadar Family Intelligent, Integrated, Automated QRadar QRadar QRadar QRadar QRadar Log Risk SIEM QFlow VFlow Manager Manager Security Intelligence Operating System Providing complete network and security intelligence, delivered simply, for any customer IBM Confidential © 2011 IBM Corporation
  • 40. Network Security Monitoring40 IBM Confidential © 2011 IBM Corporation
  • 41. Network Security Monitoring41 IBM Confidential © 2011 IBM Corporation
  • 42. Network Security Monitoring42 IBM Confidential © 2011 IBM Corporation
  • 43. Network Security Monitoring "In the future everyone will be world-famous for fifteen minutes“ Andy Warhol43 IBM Confidential © 2011 IBM Corporation
  • 44. Network Security Monitoring Thank you!44 IBM Confidential © 2011 IBM Corporation