IBM Security QRadar SIEM - Datasheet


Published on

Boost threat protection and compliance with an integrated investigative reporting system.


- Integrate log management and network threat protection technologies within a common database and shared dashboard user interface

- Reduce thousands of security events into a manageable list of suspected offenses

- Detect and track malicious activity over extended time periods, helping to uncover advanced threats often missed by other security solutions

- Detect insider fraud with advanced capabilities

- Help exceed regulation mandates and support compliance

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IBM Security QRadar SIEM - Datasheet

  1. 1. IBM Software Data SheetIBM Security QRadar SIEMBoost threat protection and compliance with anintegrated investigative reporting systemHighlights●● ● ●Integrate log management and networkthreat protection technologies within acommon database and shared dash-board user interface●● ● ●Reduce thousands of security events intoa manageable list of suspected offenses●● ● ●Detect and track malicious activity overextended time periods, helping to uncoveradvanced threats often missed by othersecurity solutions●● ● ●Detect insider fraud with advancedcapabilities●● ● ●Help exceed regulation mandates andsupport complianceToday’s networks are larger and more complex than ever before, andprotecting them against malicious activity is a never-ending task.Organizations seeking to safeguard their intellectual property, protecttheir customer identities and avoid business disruptions need to do morethan monitor logs and network flow data; they need to leverage advancedtools to detect these activities in a consumable manner. IBM® SecurityQRadar® SIEM can serve as the anchor solution within a small orlarge organization’s security operations center to collect, normalize andcorrelate available network data using years’ worth of contextual insights.The result is something called security intelligence.At the heart of this product sits a highly scalable database designedto capture real-time log event and network flow data, revealing thefootprints of would-be attackers. QRadar SIEM is an enterprise solutionthat consolidates log source event data from thousands of devices distrib-uted across a network, storing every activity in its raw form, and thenperforming immediate correlation activities to distinguish the real threatsfrom false positives. It also captures real-time Layer 4 network flow dataand, more uniquely, Layer 7 application payloads, using deep packetinspection technology.An intuitive user interface shared across all QRadar family componentshelps IT personnel quickly identify and remediate network attacks byrank, ordering hundreds of alerts and patterns of anomalous activity intoa drastically reduced number of offenses warranting further investigation.
  2. 2. 2Data SheetIBM SoftwareProviding real-time visibility for threatdetection and prioritizationQRadar SIEM provides contextual and actionable surveillanceacross the entire IT infrastructure, helping organizations detectand remediate threats often missed by other security solutions.These threats can include inappropriate use of applications;insider fraud; and advanced, “low and slow” threats easily lost inthe “noise” of millions of events.QRadar SIEM collects information that includes:●● ●Security events: Events from firewalls, virtual privatenetworks, intrusion detection systems, intrusion preventionsystems and more●● ●Network events: Events from switches, routers, servers,hosts and more●● ●Network activity context: Layer 7 application context fromnetwork and application traffic●● ●User or asset context: Contextual data from identity andaccess-management products and vulnerability scanners●● ●Operating system information: Vendor name and versionnumber specifics for network assets●● ●Application logs: Enterprise resource planning (ERP),workflow, application databases, management platformsand moreReducing and prioritizing alerts to focusinvestigations into actionable offensesMany organizations create millions—or even billions—of eventsper day, and distilling that data down to a short list of priorityoffenses can be daunting. QRadar SIEM automatically discov-ers most network log source devices and inspects network flowdata to find and classify valid hosts and servers (assets) on thenetwork—tracking the applications, protocols, services andports they use. It collects, stores and analyzes this data andperforms real-time event correlation for use in threat detectionand compliance reporting and auditing. Billions of events andflows can therefore be reduced and prioritized into a handful ofactionable offenses, according to their business impact.As a result, security professionals normally begin to see valuefrom a QRadar SIEM installation in days rather than weeks,and deployments occur without a small army of expensiveconsultants. Automatic discovery features and out-of-the-boxtemplates and filters mean you don’t spend months teaching thesystem about your environment as with more generalized IToperational tools. The architecture employs multiple modelsof event processor appliances, event collector appliances,flow processor appliances and a central console, all available ashardware-based, software-only or as virtual software appliances.Smaller installations can start with a single all-in-one solutionand easily be upgraded to console deployments, adding eventand flow processor appliances as needed.
  3. 3. 3Data SheetIBM SoftwareAnswering key questions for moreeffective threat managementSecurity teams need to answer key questions to fully understandthe nature of their potential threats: Who is attacking? What isbeing attacked? What is the business impact? Where do Iinvestigate? QRadar SIEM tracks significant incidents andthreats, building a history of supporting data and relevantinformation. Details such as attack targets, point in time, assetvalue, vulnerability state, offending users’ identities, attackerprofiles, active threats and records of previous offenses all helpprovide security teams with the intelligence they need to act.Real-time, location-based and historical searching of event andflow data for analysis and forensics can greatly improve anorganization’s ability to assess activities and resolve incidents.With easy-to-use dashboards, time-series views, drill-downsearching, packet-level content visibility and hundreds ofpredefined searches, users can quickly aggregate data tosummarize and identify anomalies and top activity contributors.They can also perform federated searches across large,geographically distributed environments.Gaining application visibility andanomaly detectionQRadar SIEM supports a variety of anomaly detectioncapabilities to identify changes in behavior affecting applica-tions, hosts, servers and areas of the network. For example,QRadar SIEM can detect off-hours or excessive usage of anapplication or cloud-based service, or network activity patternsthat are inconsistent with historical, moving-average profilesand seasonal usage patterns. QRadar SIEM learns to recognizethese daily and weekly usage profiles, helping IT personnel toquickly identify meaningful deviations.QRadar SIEM captures data across a broad range of feeds, reducing it to a manageable list of offenses using pre-existing and customer-defined rules.Security devicesServers and mainframesNetwork and virtual activityData activityApplication activityConfiguration informationVulnerabilities and threatsUsers and identitiesExtensive data sources Deep intelligenceExceptionally accurateand actionable insightTrueoffenseSuspectedincidentsCorrelationActivity baselining andanomaly detection• Logs/events• Flows• IP reputation• Geographic location• User activity• Database activity• Application activity• Network activityOffense identification• Credibility• Severity• Relevance
  4. 4. 4Data SheetIBM SoftwareThe QRadar SIEM centralized database stores log sourceevents and network flow traffic together, helping to correlatediscrete events with bidirectional network flow activity emanat-ing from the same IP source. It also can group network flowtraffic and record operations occurring within a narrow timeperiod as a single database entry to help reduce storageconsumption and conserve license requirements.Its ability to detect application traffic at Layer 7 enables QRadarSIEM to provide accurate analysis and insight into an organiza-tion’s network for policy, threat and general network activitymonitoring. With the addition of an IBM Security QRadarQFlow or VFlow Collector appliance, QRadar SIEM can mon-itor the use of applications such as ERP, databases, Skype, voiceover IP (VoIP) and social media from within the network. Thisincludes insight into who is using what, analysis and alerts forcontent transmission, and correlation with other network andlog activity to reveal inappropriate data transfers and excessiveusage patterns. While QRadar SIEM ships with numerousanomaly and behavioral detection rules, security teams can alsocreate their own through a filtering capability that enables themto apply anomaly detection against time-series data.Commanding a highly intuitive,one-console security solutionQRadar SIEM provides a solid foundation for an organization’ssecurity operations center by providing a centralized userinterface that offers role-based access by function and a globalview to access real-time analysis, incident management andreporting. Five default dashboards are available—includingsecurity, network activity, application activity, system monitor-ing and compliance—plus users can create and customize theirown workspaces.These dashboards make it easy to spot spikes in alert activitythat may signal the beginnings of an attack. Clicking on a graphlaunches a drill-down capability that enables security teams toquickly investigate the highlighted events or network flowsrelated to a suspected offense. Furthermore, hundreds of tem-plates relevant to specific roles, devices, compliance regulationsand vertical industries are available to speed report generation.What wasthe attack?Who wasresponsible?When did allof this occur?How valuableare the targets?Was itsuccessful?Where do Ifind them?How manytargetsinvolved?QRadar SIEM offers a wealth of forensic detail behind every suspectedoffense and an ability to tune existing rules or add new ones to reduce falsepositives.Extending threat protection to virtualenvironmentsince virtual servers are just as susceptible to security vulnera-ilities as physical servers, comprehensive security intelligenceolutions must also include appropriate measures to protect thepplications and data residing within the virtual data center.sing QRadar VFlow Collector appliances, IT professionalsain increased visibility into the vast amount of businessSbsaUg
  5. 5. 5Data SheetIBM Softwareapplication activity within their virtual networks and can betteridentify these applications for security monitoring, applicationlayer behavior analysis and anomaly detection. Operators canalso capture application content for deeper security and policyforensics.Producing detailed data access and useractivity reports to manage complianceQRadar SIEM provides the transparency, accountability andmeasurability critical to an organization’s success in meetingregulatory mandates and reporting on compliance. The solu-tion’s ability to correlate and integrate surveillance feeds yieldsmore complete metrics reporting on IT risks for auditors, aswell as hundreds of reports and rules templates to addressindustry compliance requirements.Organizations can efficiently respond to compliance-driven ITsecurity requirements with the extensibility of QRadar SIEM toinclude new definitions, regulations and best practices throughautomatic updates. In addition, profiles of all network assets canbe grouped by business function—for example, servers that aresubject to Health Insurance Portability and Accountability Act(HIPAA) compliance audits.The solution’s pre-built dashboards, reports and rules templatesare designed for the following regulations and control frame-works: CobiT, SOX, GLBA, NERC/FERC, FISMA, PCI DSS,HIPAA, UK GSi/GCSx, GPG and more.Adding high-availability anddisaster-recovery capabilitiesTo achieve high-availability and disaster-recovery capabilities,identical secondary systems can be paired with all members ofthe QRadar appliance family. From event processor appliances,to flow processor appliances, to all-in-one and console SIEMappliances, users can add robustness and protection where andwhen it is needed—helping to ensure continuous operations.For organizations seeking business resiliency, QRadar high-availability solutions deliver integrated automatic failover andfull-disk synchronization between systems. These solutions areeasily deployed through architecturally elegant plug-and-playappliances, and there is no need for additional third-party faultmanagement products.For organizations seeking data protection and recovery, QRadardisaster-recovery solutions forward live data (e.g., flows andevents) from a primary QRadar system to a secondary parallelsystem located at a separate facility.Profiling for vulnerabilitiesIBM Security QRadar Risk Manager complements QRadarSIEM by identifying a network’s most vulnerable assets. It canimmediately generate alerts when these systems engage inactivity that potentially exposes them. For example, organiza-tions can scan their networks for unpatched applications,devices and systems, determine which ones connect to theInternet and prioritize remediation based on the risk profileof each application. For more information please see theQRadar Risk Manager data sheet.Receiving comprehensive device supportto capture network events and flowsWith support for more than 450 products from virtually everyleading vendor deployed in enterprise networks, QRadar SIEMprovides collection, analysis and correlation across a broadspectrum of systems, including networked solutions, securitysolutions, servers, hosts, operating systems and applications. Inaddition, QRadar SIEM is easily extended to support proprie-tary applications and new systems from IBM and many othervendors.Why IBM?IBM operates the world’s broadest security research, develop-ment and delivery organization. IBM solutions empowerorganizations to reduce their security vulnerabilities andfocus more on the success of their strategic initiatives.
  6. 6. Please RecycleFor more informationTo learn more about how IBM Security QRadar SIEM cansolve your organization’s threat management and compliancechallenges, contact your IBM representative or IBM BusinessPartner, or visit: IBM Security solutionsIBM Security offers one of the most advanced and integratedportfolios of enterprise security products and services. Theportfolio, supported by world-renowned IBM X-Force®research and development, provides security intelligence to helporganizations holistically protect their people, infrastructures,data and applications, offering solutions for identity and accessmanagement, database security, application development, riskmanagement, endpoint management, network security andmore. These solutions enable organizations to effectivelymanage risk and implement integrated security for mobile,cloud, social media and other enterprise business architectures.IBM operates one of the world’s broadest security research,development and delivery organizations, monitors 13 billionsecurity events per day in more than 130 countries, and holdsmore than 3,000 security patents.Additionally, IBM Global Financing can help you acquirethe software capabilities that your business needs in the mostcost-effective and strategic way possible. We’ll partner withcredit-qualified clients to customize a financing solution tosuit your business and development goals, enable effectivecash management, and improve your total cost of ownership.Fund your critical IT investment and propel your businessforward with IBM Global Financing. For more information,visit:© Copyright IBM Corporation 2013IBM CorporationSoftware GroupRoute 100Somers, NY 10589Produced in the United States of AmericaJanuary 2013IBM, the IBM logo,, QRadar, and X-Force are trademarks ofInternational Business Machines Corp., registered in many jurisdictionsworldwide. Other product and service names might be trademarks ofIBM or other companies. A current list of IBM trademarks is availableon the web at “Copyright and trademark information” document is current as of the initial date of publication and may bechanged by IBM at any time. Not all offerings are available in every countryin which IBM operates.THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,INCLUDING WITHOUT ANY WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND ANY WARRANTY OR CONDITION OFNON-INFRINGEMENT. IBM products are warranted according to theterms and conditions of the agreements under which they are provided.The client is responsible for ensuring compliance with laws and regulationsapplicable to it. IBM does not provide legal advice or represent or warrantthat its services or products will ensure that the client is in compliance withany law or regulation.IT system security involves protecting systems and information throughprevention, detection and response to improper access from within andoutside your enterprise. Improper access can result in information beingaltered, destroyed or misappropriated or can result in damage to or misuseof your systems, including to attack others. No IT system or product shouldbe considered completely secure and no single product or security measurecan be completely effective in preventing improper access. IBM systems andproducts are designed to be part of a comprehensive security approach,which will necessarily involve additional operational procedures, and mayrequire other systems, products or services to be most effective. IBM doesnot warrant that systems and products are immune from the malicious orillegal conduct of any party.WGD03021-USEN-00