Exclusive Analyst Webinar Security Management with IBM


Published on

Exclusive Analysis Webinar Security Management with IBM

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Exclusive Analyst Webinar Security Management with IBM

  1. 1. © 2014 IBM Corporation1 IBM Confidential IBM Security Systems © 2014 IBM Corporation Exclusive Analyst Webinar; Security Management 2.5: Replacing Your SIEM Yet? April 2nd 2014
  2. 2. © 2014 IBM Corporation2 IBM Confidential IBM Security SystemsIBM Security Systems Speakers Mike Rothman, Securosis, President mrothman@securosis.com Twitter: @securityincite Chris Meenan, IBM Security Systems, QRadar Product Manager chris.meenan@uk.ibm.com Twitter: @chris_meenan
  3. 3. © 2014 IBM Corporation3 IBM Confidential IBM Security SystemsIBM Security Systems Agenda •  Security Management 2.5 findings 1.  Changing Needs 2.  Platform Evolution 3.  Revisiting Requirements 4.  The Rise of Forensics 5.  Vendor Evaluation 6.  Decision Process •  How IBM Security Intelligence QRadar Platform, helps to answer these findings •  Q&A
  4. 4. © 2014 IBM Corporation4 IBM Confidential IBM Security SystemsIBM Security Systems Security Management 2.5: SIEM Replacement Analysis Download the report: http://ibm.co/1luGpl6
  5. 5. Why now? •  Advanced Adversaries •  Malware detection •  Better analytics •  Technology Disruption •  Cloud •  Mobile
  6. 6. Changing Needs •  More Data: To drive deeper analysis •  Requires enhanced speed, scale and accuracy •  More Flexibility: Support more use cases — like forensics •  Threat Intelligence: Benefit from the misfortune of others •  Skills Gap: Better automation and efficiency https://flic.kr/p/dcZaG7
  7. 7. Platform Evolution
  8. 8. Architectural Evolution •  Distributed architecture •  Cooperative cluster for independently collecting, digesting and processing events •  Processing events closer to the data •  Better supports cloud and virtualization
  9. 9. Usability Enhancement •  Event/Log enrichment •  Contextual data •  Reporting •  Visualization •  *Real* centralized management
  10. 10. Additional Capabilities •  Enhanced Visibility •  More and Better Data •  Better Analysis •  Better Visualization •  Decreased Time to Value — Out of the box •  Hybrid Deployments — On-Prem, In Cloud, Managed Services
  11. 11. Revisiting Requirements
  12. 12. Understanding Your Requirements •  It’s all about YOU - What do you need? •  Different groups have different needs •  New features: •  Advanced detection •  Scalability •  Forensics and analytics •  Compliance •  Ease of Management •  Integration •  Vendor viability
  13. 13. Evaluating the Incumbent
  14. 14. How well does your SIEM work? •  Relative to your requirements, evaluate: •  Ability to perform important use cases •  Current performance and architecture to support required scale •  Analytics (now and future needs) •  Simplicity in maintenance/tuning •  Identify weaknesses/omissions
  15. 15. Lather-Rinse-Repeat •  Goal is to understand what works and what does not •  Build complete story •  Need to remain objective
  16. 16. Forensic Use Case •  Find root cause analysis •  Packet capture •  Advanced Searching •  Evidence handling (chain of custody)
  17. 17. Security Analytics Use Case •  Old SIEM required you to know what to look for and build the rules ahead of time. •  Analytics provides the ability to look at disparate data sources and find patterns •  Beware of big data mumbo jumbo — Underlying technology not important •  Key Features •  Flexibility critical to support many types of analysis •  Ability to add new data types •  Accuracy •  Visualization and Reporting
  18. 18. Vendor Evaluation
  19. 19. What else is available? •  Given your requirements: •  Familiarize yourself with vendors •  Create RFI/RFP •  Create ‘short list’ for eval •  Evaluate based on weighted requirements •  Select vendors for PoC
  20. 20. Driving the PoC •  Define real tests •  Stand it up and try it out! •  Red team — test it under fire •  Perform Post-Mortem •  Repeat
  21. 21. Decision Process
  22. 22. Introspection time •  Did you fairly evaluate the incumbent? •  Are your expectations realistic? •  Is there really budget for a replacement?
  23. 23. Supporting Documentation •  You will not get the funding w/o proper documentation •  The documentation is what supports your case to upper management •  Clarity of intent and objectivity are critical
  24. 24. What to document •  Requirements •  Evaluation of Incumbent •  Challenger assessment •  Cost estimate •  Migration plan •  Recommendation https://flic.kr/p/5WMZ2M
  25. 25. Summary •  Understand your requirements •  Understand current deficiencies •  Critically evaluate incumbent & challengers •  Read the report for more information on documenting and making your case https://flic.kr/p/5vKanE
  26. 26. © 2014 IBM Corporation26 IBM Confidential IBM Security SystemsIBM Security Systems IBM Security Intelligence QRadar Platform
  27. 27. © 2014 IBM Corporation IBM Security Systems 27 IBM QRadar Security Intelligence Platform Providing actionable intelligence IBM QRadar Security Intelligence Platform AUTOMATED Driving simplicity and accelerating time-to-value INTEGRATED Unified architecture delivered in a single console INTELLIGENT Correlation, analysis and massive data reduction
  28. 28. © 2014 IBM Corporation IBM Security Systems 28 Consolidation and integration help reduce costs and increase visibility IBM QRadar Security Intelligence Platform Packets Vulnerabilities Configurations Flows Events Logs Big data consolidation of all available security information Traditional SIEM 6 products from 6 vendors are needed IBM Security Intelligence and Analytics
  29. 29. © 2014 IBM Corporation IBM Security Systems 29 Security Intelligence .NEXTNetwork Forensics Incident forensics and packet captures Vulnerability Management Real-time vulnerability scanning and vulnerability prioritizations Risk Management Configuration analysis, policy monitoring, and risk assessment Log Management Identity management, complete log management, and compliance reporting SIEM SIM and VA integration Technology additions strengthen QRadar Security Intelligence ClientNeeds Flow Visualization and NBAD Anomaly detection and threat resolution Platformevolutionbasedonclientneeds 2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2011 2012 – 2013 2014 Future IBM acquisition
  30. 30. © 2014 IBM Corporation IBM Security Systems 30 Single web-based console provides superior visibility Log Management Security Intelligence Network Activity Monitoring Risk Management Vulnerability Management Network Forensics
  31. 31. © 2014 IBM Corporation IBM Security Systems 31 Suspected Incidents Prioritized Incidents Embedded intelligence offers automated offense identification Servers and mainframes Data activity Network and virtual activity Application activity Configuration information Security devices Users and identities Vulnerabilities and threats Global threat intelligence Extensive Data Sources Automated Offense Identification •  Massive data reduction •  Automated data collection, asset discovery and profiling •  Automated, real-time, and integrated analytics •  Activity baselining and anomaly detection •  Out-of-the box rules and templates Embedded Intelligence
  32. 32. © 2014 IBM Corporation IBM Security Systems 32 Suspected Incidents Prioritized Incidents Extend clarity around incidents with in-depth forensics data Directed Forensics Investigations •  Rapidly reduce time to resolution through intuitive forensic workflow •  Use intuition more than technical training •  Determine root cause and prevent re-occurrences Embedded Intelligence
  33. 33. © 2014 IBM Corporation IBM Security Systems 33 Visit IBM Security: www.ibm.com/security Learn more: Download the Securosis paper: http://ibm.co/1luGpl6 Read: http://securosis.com/blog Attend our webcast on QRadar Incident Forensics, 15th April: http://ibm.co/QRIF
  34. 34. © 2014 IBM Corporation IBM Security Systems 34 Thank You. Any Questions?
  35. 35. © 2014 IBM Corporation IBM Security Systems 35 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.