IBM Qradar Security Intelligence Platform - Integration, Intelligence and Automation


Published on

View a demonstration of the IBM QRadar Security Intelligence Platform, integrating SIEM, log management, anomaly detection, and configuration and vulnerability management into a unified, one-dashboard solution.

See how the QRadar platform delivers superior visibility into an organization’s network security posture by consolidating data from a wide variety of sources to improve threat detection, provide greater ease-of-use, and deliver lower total cost of ownership.

The presentation will cover core platform capabilities inside of key use case scenarios organizations face, including:

- Detecting threats that might otherwise get missed
- Consolidating data silos
- Detecting insider fraud
- Predicting and remediating risks with vulnerability management
- Addressing and exceeding regulatory compliance mandates

View the On-demand webinar:

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We need to look at security today very differently than in the past. Previously, our defenses were built around the premise of stopping a set of known attacks by protecting our perimeters using a signature-based approach embedded in a firewall rule, an IPS, or even your endpoint protection solution.
    Our usage of technology has fundamentally changed and these are the key drivers. Today’s attacks are targeted at your organization in a fashion that nobody has ever seen before. What that suggests is traditional approaches, while still important, are no longer sufficient.
    Part of what we’ll talk about today is how can we apply new capabilities across all the veins of security technology to address applications and data being compromised. No one product can solve all these problems and even if you believe you are protected, there are new things coming like cloud and mobile, which make the Security problem even more complex.
  • Threats have become more advanced and sophisticated. In the first decade of the commercial internet, they were limited in scope and were typically perpetrated by insiders or hackers to satisfy their curiousity or seek revenge.
    Today they are much further advanced and sophisticated as shown. Related to “National Security Infrastructure Attacks” shown on the chart, we now face Advanced Persistent Threats (APT). Wikipedia definition: refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information. Recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.
    Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists, and by extension, also to refer to the groups behind these attacks.
  • To sum-up the issues then, we basically see our clients wrestling with three core trends. Despite reports that show the majority of network beaches are due to a lack of basic hygiene efforts, there is a growing base of sophisticated attackers pursuing targets of choice in order to steal intellectual property, trade or national secrets, and you need the ability to detect and defend against these bad guys.
    Few people would disagree that everything is just getting more complex as capabilities brought about by the Internet invade all aspects of our corporate and personal lives. Almost nothing exists in a vacuum anymore.
    Considering resource constraints, the issue has transcended a lack of budget to also incorporate a lack of skill. Even if you have the funding to add necessary staff, it doesn’t mean you’re going to find any qualified applicants without conducting a broad-ranging search.
  • Lots of vendors have used this term, but they’re not all talking about the same capability.
  • To IBM, Security Intelligence can be characterized in two ways. Firstly, we describe security intelligence as the result of some advanced analytics. It’s the wisdom gained from reviewing every available bit of data and normalizing, correlating, indexing and pivoting it to discover the dozen things your team needs to investigate as soon as possible.
    Alternatively, we use security intelligence to characterize the iterative process of eliminating false positive results by continuously tuning the system analytics to remove an increasing number of interesting
  • Here’s a view of the situation we created after working with clients who told us they’re beginning to think more like an attacker and hunt for patterns of suspicious activity instead of thinking just like a defender in building bigger and bigger walls to protect different parts of the infrastructure.
    There’s a lot of work going on related to gathering and preserving evidence, building baselines of systems and networks to look for anomalies, and following the trails of suspicious events. These actions also lead security teams to ask a lot of questions of themselves:
    1. How can we detect these subtle indicators?
    2. Is there information that’s useful to my organizations hidden in mountains of external threat intelligence?
    As you go further down the iceberg, there are questions about what might be hidden inside unstructured packets, transactions, files or email.
    And how do you go back further in time, looking past the ‘hot data’ from the last few hours and days, or the ‘warm data’ of the last couple weeks to consider even the ‘cold data’ that’s been sitting on the shelves for years for clients who have these storage capabilities.
    As you approach the bottom of the iceberg, much of this data hasn’t been really relevant to security teams in the past, and it’s one thing to simply collect it all, but quite another to effectively analyze it at the speed required to develop useful analytics that can be correlated with active security data arriving in real time.
  • While we are widely known for our Security Information and Event Management or SIEM, and for our Log Management solutions, QRadar actually delivers a complete set of solutions that span the vulnerability timeline that all IT organizations wrestle with.
    Our SIEM, Log Management and Network behavioral analysis solutions lead the market in helping customers react and respond to exploits as they occur in a network. But we also provide much needed value to customers as they seek to predict and prevent incidents in the first place through our solutions that help to model risk, evaluate configurations and prioritize vulnerabilities.
    “Security Intelligence” is the actionable information derived from the sum of all security data available to an organization, which improves accuracy and provides context throughout the entire security event timeline – from detection and protection through remediation. QRadar supports the entire security intelligence timeline. What you want in these sorts of situations is to recognize the attack as early as possible, flag it to the appropriate manager and activate your incident response processes, aimed at stopping the attack on the one hand and identifying the culprit on the other.
  • IBM Qradar Security Intelligence Platform - Integration, Intelligence and Automation

    1. 1. IBM QRadar Security Intelligence PlatformIntegration, Intelligence & Automation Vinay Sukumar, IBM Security Systems Technical Product Manager © 2014 IBM Corporation
    2. 2. IBM Security Systems  The IT security problem  Security Intelligence defined  QRadar Security Intelligence Platform Demo  Q&A © 2014 IBM Corporation
    3. 3. IBM Security Systems Innovative technology changes everything 1 trillion connected objects 1 billion mobile workers Social business Bring your own IT Cloud and virtualization © 2014 IBM Corporation
    4. 4. IBM Security Systems Attacks continue as perpetrators sharpen skills Nation-state actors, APTs Stuxnet, Aurora, APT1 MOTIVATION National Security, Economic Espionage Hacktivists Lulzsec, Anonymous Notoriety, Activism, Defamation Monetary Gain Nuisance, Curiosity Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Insiders, Spammers, Script-kiddies Nigerian 419 Scams, Code Red SOPHISTICATION 4 © 2014 IBM Corporation
    5. 5. IBM Security Systems Three core trends affecting clients’ ability to secure environments Escalating Threats Increasing Complexity Resource Constraints Designer Malware Spear Phishing Persistence Backdoors • Increasingly sophisticated attack methods • Constantly changing infrastructure • Disappearing perimeters • Too many products from multiple vendors; costly to configure and manage • Accelerating security breaches 5 • Struggling security teams • Too much data, not enough manpower and skills to manage it all • Inadequate antivirus products © 2014 IBM Corporation
    6. 6. IBM Security Systems Security Intelligence defined © 2014 IBM Corporation
    7. 7. IBM Security Systems What is Security Intelligence? Security Intelligence noun si-ˈ kyur-ə-tē in-ˈ te-lə-jən(t)s ̇ 1. A methodology of analyzing millions and billions of security, network and application records across the organization’s entire network in order to gain insight into what is actually happening in that digital world. 2. The process of combining internal, locally collected security data with external intelligence feeds and the application of correlation rules to reduce huge volumes of data into a handful of high probability ‘offense’ records requiring immediate investigation to prevent or minimize the impact of security incidents Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates. 7 © 2014 IBM Corporation
    8. 8. IBM Security Systems Evolving along with changing threat landscape Then: Collection Logs Events Alerts Configuration information System audit trails Network flows and anomalies External threat feeds Business process data Identity context E-mail and social activity Malware information •Log collection •Signature-based detection Now: Intelligence •Real-time monitoring •Context-aware anomaly detection •Automated correlation and analytics © 2014 IBM Corporation
    9. 9. IBM Security Systems Security Intelligence QRadar Security Intelligence Platform Use Cases © 2014 IBM Corporation
    10. 10. IBM Security Systems Recognized by analysts as a leader Consistent Leader in Gartner Magic Quadrant for Security Information and Event Management (SIEM): 2009, 2010, 2011, 2012, 2013 with steady movement Up and to the Right •IBM/Q1 Labs is rated #1for Compliance use cases •IBM/Q1 Labs is rated #1 for on “Ability to Execute” • IBM/Q1 Labs is rated #1 for analytics and behavior profiling • IBM/Q1 Labs is rated #1 in SIEM Use Case, Product Rating, and Overall Use Case Frost & Sullivan: 2013 Global Customer Value Leadership Award Applied Security Intelligence in SIEM/LM Industry awards include: ‒ Global Excellence in Surveillance Award from InfoSecurity Products Guide ‒ “Hot Pick” by Information Security magazine ‒ AlwaysOn Global 250 ‒ GovernmentVAR 5-Star Award 10 © 2014 IBM Corporation
    11. 11. IBM Security Systems Offering solutions for the full Security Intelligence timeline What are the external and internal threats? Are we configured to protect against these threats? Pre-Exploit VULNERABILITY What is happening right now? What was the impact? Post-Exploit EXPLOIT REMEDIATION • Gain visibility over the organization's security posture • Discover anomalies and investigate to evaluate the risk • Detect deviations from the norm and initiate preventive procedures • Explore and analyze data to devise countermeasures for the attack • Attain awareness of vulnerabilities and assess exposures • Formulate new security best practices to adapt to emerging threats Accurate and actionable information requires diverse collection of automated and intelligent tools that can share available data regardless of scale © 2014 IBM Corporation
    12. 12. IBM Security Systems Sharing resources across common architectural model Security Intelligence and Analytics Log Management NextGen SIEM Activity Monitoring Risk Management Vulnerability Management Network Forensics Northbound APIs Real Time and Analyst-driven Work Flow Real Time Time and Analyst-driven Work Flow Real Correlation/Automated Security Analytics Big Data Store/Warehouse/Archival Southbound APIs Real Time Structured Security Data 12 Unstructured Operational / Security Data © 2014 IBM Corporation
    13. 13. IBM Security Systems Leveraging three foundational characteristics IBM QRadar Security Intelligence Platform INTELLIGENCE Correlation, analysis and massive data reduction INTEGRATION Unified architecture delivered in a single console AUTOMATION Driving simplicity and accelerating time-to-value 13 © 2014 IBM Corporation
    14. 14. IBM Security Systems IBM QRadar Security Intelligence Platform Demonstration 14 © 2014 IBM Corporation
    15. 15. IBM Security Systems QRadar’s unique advantages  Automation of data collection, asset discovery, asset profiling and more  Impact: Reduced manual effort, fast time to value, lower-cost operation  Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards  Impact: Maximum insight, business agility and lower cost of ownership  Real-time correlation and anomaly detection based on broadest set of contextual data  Impact: More accurate threat detection, in real-time  Integrated flow analytics with Layer 7 content (application) visibility  Impact: Superior situational awareness and threat identification  Scalability for largest deployments, using an embedded database and unified data architecture  Impact: QRadar supports your business needs at any scale © 2014 IBM Corporation
    16. 16. IBM Security Systems Learn more about IBM QRadar Security Intelligence Watch executive Steve Robinson (VP) discuss : the next era for Security Intelligence Download the 2013 Gartner Magic Quadrant for : SIEM Read our IT Executive Guide to Security : Intelligence White Paper :Visit our Blog : Website 16 © 2014 IBM Corporation
    17. 17. February 23- 26 IBM Security Systems MGM Grand – Las Vegas, Nevada Pulse Protect2014 The Security Forum at Las Vegas, February 23- 26 MGM Grand – Pulse2014 Nevada learn more at Pulse Protect 2014 will feature three days and 50+ sessions on the hottest security topics including security and threat intelligence, application and data security, vulnerability management, defense against web fraud and advanced malware, identity and access management, network security and emerging topics such as cloud and mobile security. HIGHLIGHTS Client & IBM led sessions Threat Research CISO Lunch & Networking Introducing Trusteer Featuring leading clients such as Standard Bank, WestJet & Whirlpool. Hear from X-Force as well as IBM’s malware and application security researchers. Hear from IBM’s CISO and other 17 industry leaders while networking with your peers. Discover Trusteer’s unique approach to addressing web fraud and© 2014 IBM Corporation malware.
    18. 18. IBM Security Systems Thanks, Any Questions? 18 © 2014 IBM Corporation
    19. 19. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. © 2014 IBM Corporation