Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights

275 views

Published on

IT security teams have a tough job. While organizations depend upon Internet access to conduct business, security teams are responsible for safeguarding these communications and transactions from those who wish to profit by stealing intellectual property, customer private data or even just encrypting your data and demanding a ransom for its safe recovery. There are a number of tools available to monitor log events, network flows, and packet captures, but most of these are performing after-the-fact analysis. That can make it easy for the bad guys to hide out on your network.

IBM QRadar Network Insights (QNI) uses innovative network threat analytics to identify malicious content – including those hidden in data transmissions, SSL certificate violations, protocol obfuscation, file tags, and suspicious network flows – and then pieces together those indicators of attack to provide security teams with real-time alerts. These alerts help organizations detect attacks that are in progress, as well as determine what damage may have already been inflicted.

View this on-demand webinar to learn how QRadar Network Insights can:

Remove network blind spots and reduce complexities in log data to reveal previously hidden threats and malicious behaviors;
Record application activities, capture file metadata and artifacts, and identify assets, applications and users participating in network communications;
Reduce the impact of threats associated with malware, phishing emails, data exfiltration, and the lateral network movements of advanced attacks.

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
275
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights

  1. 1. Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights November 16, 2016 Jay Bretzmann, QRadar Portfolio Marketing Tom Obremski, QRadar Offering Management Peter Szczepankiewicz, QRadar Offering Management
  2. 2. 2 Today’s speakers Jay Bretzmann QRadar Portfolio Marketing Tom Obremski QRadar Offering Management Peter Szczepankiewicz QRadar Offering Management
  3. 3. 3 Agenda • Introduction • QRadar overview • Today’s cyber security challenges • QRadar Network Insights • Demo • Questions and Answers
  4. 4. 4 Agenda • Introduction • QRadar overview • Today’s cyber security challenges • QRadar Network Insights • Demo • Questions and Answers
  5. 5. 5 IBM QRadar Security Intelligence Platform Malware and APT Insider threat Risk and Vulnerabilities Incident Response Compliance Reporting Securing Cloud
  6. 6. 6 QRadar Sense Analytics™ Quickly and easily detects Insider Threats, Malicious Behaviors, Malware, and Risks Sense Analytics helps:  Quickly identify Insider threats, malware, APT and other abnormal behavior  Simplify and reduce incident analysis effort through automatic identification and relating of abnormal activities  Uncover risks though automatic discovery and behavioral profiling of devices, users, assets and applications  Enable rapid time to value with automated security data discovery and classification, and integrated network and end point scanning  Stay ahead of attacks with automatic updates of threats, vulnerabilities and new security use cases on the IBM App Exchange
  7. 7. 7 Agenda • Introduction • QRadar overview • Today’s cyber security challenges • QRadar Network Insights • Demo • Questions and Answers
  8. 8. 8 IBM Security Today’s Challenges: Why are they so hard to solve? Advanced Threats: greater sophistication & improved stealth Real-time threat detection lacks the necessary security context Real time visibility of network context and numbers of false positive alerts • Threats hide in normal application traffic, DNS, web, email, file transfers • Malicious actors are stealthy, making lateral movements and exfiltrate data • Current logs & flows don’t provide consistent visibility across the threat lifecycle • PCAP data is expensive primarily used for post incident forensics analysis • Over-sensitive tools creating too many false positives • Lack of infrastructure and communication context to improve threat detection accuracy Advanced threats | Phishing e-mails | Malware | Data exfiltration | Compliance gaps | DNS abuse
  9. 9. 9 Agenda • Introduction • QRadar overview • Today’s cyber security challenges • QRadar Network Insights • Demo • Questions and Answers
  10. 10. 10 IBM Security Today’s Exciting News! Announcing NEW IBM QRadar Network Insights (QNI) • Innovative network analytics solution that will quickly and easily detect insider threats, data exfiltration and malware activity • Logs and network flow data not providing enough visibility • Records application activities, captures artifacts, and identifies assets, applications and users participating in network communications • Configurable analysis from network traffic for real time threat detection and long-term retrospective analysis • New Appliance with out-of-the-box content on the App Exchange for fast time to value and best practices
  11. 11. 11 IBM Security IBM QRadar Network Insights – Leaves nowhere to hide Innovative network threat analytics Improved threat detection Long-term retrospective analysis • Essential threat indicators gathered from network traffic in real-time • Threats are hunted and traced with full visibility of network traffic • Threats are qualified by correlating network insights with logs from security devices • Discovered devices, users, application cataloged for improved context • Activities relating to applications, assets, artifacts and users can be collected selectively • Hidden risks and threats revealed through historical analysis employing latest intelligence
  12. 12. 12 IBM Security Providing complete coverage and threat detection Network Tap QRadar QRadar Network Insights QRadar Incident Forensics QRadar Network Packet Capture Incident Detection & Qualification Root Cause Analysis QRadar Processors Endpoint Network Cloud IBM AND BP INTERNAL USE ONLY
  13. 13. 13 IBM Security QRadar QNI – Completing the picture • What is out there ? • Who is talking to whom ? • What files and data are being exchanged ? • Do they look malicious ? • Do they contain any important or sensitive data ? • Is this malicious application use ? • Is this new threat on my network ? • If so, it where is it and what did it do ? Filling in the important gaps BASIC ENRICHED ADVANCED
  14. 14. 14 IBM Security Covering the threat lifecycle: Phishing Phishing works “95 percent of all attacks on enterprise networks are the result of successful spear phishing.” - SANS Institute Detect phishing e-mails before users have a chance to open them Detect and extract suspicious e-mail subject lines, content and attachments helping QRadar detect attacks before users access their inbox. Someone fell for it… again Quickly determine who was phished, how they responded, and who is compromised. Email field analysis Invalid certificate detection E-mail subject lines Anomalous DNS lookups Hunting for others who received the e-mail Embedded scripts in attachments BASIC ENRICHED ADVANCED
  15. 15. 15 IBM Security Finds Insider Threats Exposure to Insider Risk “55% of all attacks were carried out by malicious insiders or inadvertent inside actors.” - IBM 2015 Cyber Security Intelligence Index “Insider risk can be more than a threat to IT systems or data loss – it can result in physical harm or sabotage.” - Carnegie Mellon SEI Enhances QRadar/UBA for unique insider threat detection Identify unapproved web browsing or searches, Recognize access of risky or suspicious domains, trace activities following anomalous behaviors, resolve aliases and privileged identities triggered by suspicious content, seamlessly feeding QRadar UBA Internet bound data Anomalous DNS queries Interaction with malicious sources E-mail subject lines Abormal crown jewel comms amd transfer PI data detection Who is talking to whom Web Site content Email content BASIC ENRICHED ADVANCED
  16. 16. 16 IBM Security Key use example: All customers care about data exfiltration Secrets being exposed “50% of organizations believe they have regular confidential data leakage” - Enterprise Management Associates My proprietary data was posted where?!? Uncover sensitive data leaving the network via e-mail, chat messages, files or social media in real time. Knowledge of these transfers helps QRadar differentiate authorized vs. unauthorized actions speeding incident response. Detect credit card data Abnormal DNS payload What user IDs where used Detect PI data in flight Excessive file transfers Detect watermarks and confidential branding Where did the file go Capture file properties Other suspect content Hunting for what else was exfiltrated BASIC ENRICHED ADVANCED
  17. 17. 17 IBM Security Take your threat detection and risk visibility to new levels • Quickly and easily discovers insider threats, malware and APTs • Uncovers hidden risks with automatic visibility of devices, users and applications • Seamlessly integrated with QRadar lowering costs and increasing threat detection accuracy • Easily scales from the smallest to largest network as you grow
  18. 18. 18 Agenda • Introduction • QRadar overview • Today’s cyber security challenges • QRadar Network Insights • Demo • Questions and Answers
  19. 19. 19 All Originating Email Users
  20. 20. 20 Drill down. All Email Sent with attachments
  21. 21. 21 Email Senders – Pivot. Analyze. Drill into one email sender
  22. 22. 22 File Integrity Hashes
  23. 23. 23 Anomaly Incident – Pervasive File
  24. 24. 24 Another Example Begin with a Chained Incident – Phishing and Lateral Movement
  25. 25. 25 Where did the attacker hop to?
  26. 26. 26 Who sent the phishing email?
  27. 27. 27 What was the email attachment?
  28. 28. 28 Who else received the same phishing email?
  29. 29. Questions and Answers IBM QRADAR NETWORK INSIGHTS
  30. 30. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU
  31. 31. Additional Use Cases IBM QRADAR NETWORK INSIGHTS
  32. 32. 32 IBM Security Covering the threat lifecycle: Malware detection and analysis Malware is pervasive “600%+ increase in attachment-based versus URL delivered malware attacks from mid 2014 to 2015” - Proofpoint “50% increase in email attacks where macros are the method of infection” - Clearswift.com No file goes unnoticed QRadar Network Insights knows the details of every file; from the file name, type, entropy, embedded scripts and file hash to where it came from and where it was sent. With QRadar and Threat Intelligence from X-Force Exchange, it becomes clear when malware have evaded detection. Suspect content detection Talking with malicious sources DNS system abuse File type mismatch File hash threat intelligence correlation Embedded script detection Hunting for where it went Pluggable malware signatures BASIC ENRICHED ADVANCED
  33. 33. 33 IBM Security Discover what is out there Uncover what is being used “50% of organizations don’t know what they’ve deployed or are using” Discover the unknown Automatically discover assets, devices, servers, services, applications, users, internet services. Drives improved threat detection, security and compliance Detect credit card data Discover shadow IT Find web apps and database Detect watermarks and confidential branding Identify assets Capture file properties Recognize services Discover services BASIC ENRICHED ADVANCED
  34. 34. 34 IBM Security Improved threat detection with additional context Reduce the work with better accuracy “42% of organizations don’t process a significant number of alerts” - ESG research Too much noise Lack of important context and results in security teams being plagued with false positives. Identifying what assets, devices, users and applications are on the network and understanding their behavior patterns, when analyzed with event data in QRadar can significantly improve the accuracy of alerts based on what appears to be anomalous behaviors Find web apps and db servers Discover and catalogue servers Understand data flow direction Discover services Record data flow volumes Evaluate reputation Reveal web Categories Baseline normal behavior Highlight sensitive data BASIC ENRICHED ADVANCED
  35. 35. 35 IBM Security Zero-day threat detection Rate of new Zero-Day threats are increasing “Zero-Day Discoveries A Once-A-Week Habit” - Dark Reading Detect what others miss Traditional means of detection and prevention may be blind to new zero-day attacks, but QRadar Network Insights can help identify the symptoms to enable timely detection and remediation. Application HTTP headers IP Reputation New Connections Beaconing Baseline normal behavior DNS Flow Duration BASIC ENRICHED ADVANCED
  36. 36. 36 IBM Security Managing social media risk Social media is becoming a favored tool for attacks “160,000 Facebook pages are hacked a day” - New York Post Social media is important but risky for businesses Whether threat actors use it for phishing, a channel to distribute malware, or to gain identity or passwords information, social media usage (whether sanctioned or not) poses a threat to businesses. Personal use of social media can easily cross boundaries that compromise your company’s reputation, your assets and your customers. Real-time contextual content analysis is key for detect usage that has simply gone too far. Application Content and Context Phishing Detection URLs Malware Detection Usage vs. Policy Detect sensitive data BASIC ENRICHED ADVANCED

×