Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting Today!

2,085 views

Published on

When your cyber security is under attack, knowing who is behind your threats and what their motives are can help you ensure those threats don't become a reality. But cyber threat actors conduct their threats through a variety of means and for a variety of reasons. That's why it is critical to analyze a variety of data sources and proactively hunt those threats that are lying in wait. This webinar will illustrate how the IBM i2 QRadar Offense Investigator app enables analysts to push event data from QRadar directly into IBM i2 Analyst's Notebook, where users can apply a variety of visual analysis techniques across a disparate data sources, to build a more comprehensive understand of those threats and hunt them.

Published in: Technology
  • Be the first to comment

Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting Today!

  1. 1. Threat Hunting and i2 QRadar Offense Investigator Bob Stasio, CISSP July, 2017 Senior Product Manager, i2 Intelligence, IBM Security
  2. 2. 2 IBM Security • Military intelligence, counter terrorism fusion analysis, open source intel • Criminal investigations, counter gang, evidence presentation, intelligence • Fraud investigations, insider threat, transaction analysis • Investigate alerts, campaign tracking, event triage, threat hunting Who is i2 Intelligence • Those detective shows with the string walls…we do that, digitally • 26+ years ago i2 began enabling digital investigations for military and law enforcement • Started as desktop software, evolved into client/server option • Helped 4,000+ customers, used by 80% of national security orgs globally – gold standard in intel History Core Use Cases Hottest Trend National Security Law Enforcement CyberFraud Threat Hunting • Next level of maturity for the SOC or SIOC organization • Find the one specific “needle” in the massive stack of needles • Powerful visualization and analytics, see data in a new way • A platform to bring together all sources of disparate data • Put the human in the loop to find the other human adversary
  3. 3. 3 IBM Security Threat Hunting Defined Correlated Platform QRadar X-Force Big Fix IDS Logs i2 Intelligence Atomic CREATE Hypotheses INVESTIGATE via Tools and Platforms UNCOVER New Patterns & TTPS REPORT & ENRICH Analytics Threat Hunting Cycle Components of Threat Hunting Threat Hunting is:  Human-led analysis  Proactive in nature  Facilitated with an analyst workbench
  4. 4. 4 IBM Security IBM CONFIDENTIAL UNTIL JANUARY 2017
  5. 5. 5 IBM Security IBM CONFIDENTIAL UNTIL JANUARY 2017
  6. 6. 6 IBM Security6 Level of Effort %ofThreatsStopped Implement a Security Framework Complex Investigation Non-Linear Relationship Between Effectiveness and Cost Tier One SOC Analyst Incident Responders Cyber Analysts Personnel Example Tier Two SOC Analyst Threat Researchers Firewall SIEM Analysis Product Example INTELLIGENCE TIME HORIZON Information Security Cyber Analysis Advanced Security Intelligence Cyber Analysis and Threat Hunting HUNTING
  7. 7. 7 IBM Security
  8. 8. 8 IBM Security Six Key Use Cases and Examples of Enterprise Intelligence Customer Key Use Case Value Delivered Buyer Cyber Threat Hunting Net new discovery of correlating low level alerts and offenses SOC Director, Head of Threat Intel, CISO, CTO Watchlists and Vetting Greatly increased efficiency of investigation and increased level of data by orders of magnitude Lead investigator Insider Threat Identified discoveries of employees abusing privileges Head of SIU VIP Protection Immediate alerting of threats to VIPs and direct link to law enforcement Head of Threat Intel, Cyber Intel Director Fraud Investigations Identified net new money chain transfers Head of FIU Threat Discovery Immediate alerting on brand compromises and fraud on darkweb Head of FIU, Head of Brand Protection
  9. 9. 9 IBM Security Why Customers Need i2 Intelligence for Threat Hunting Problem Description How i2 Helps Organizations have dozens of vendor and government data/intel feeds which are in multiple formats and difficult to acquire. It is nearly impossible to derive value from data i2 is data agnostic and can ingest structured and unstructured datasets, then display a single-object model to the analyst for easy analysis A customer’s security and risk orgs are very siloed and operate in “fiefdoms”. Threat indicators need to be combined across security, intelligence, fraud, and risk i2 is an extensible solution allowing the connection to data sources in place and for all analysts and groups to combine disparate data sources Advanced cyber threats have become commoditized through exploit kits, now a hacker with a $500 laptop and low skillset can negate millions in cyber investment i2 allows for proactive searching and anomaly recognition through built in analytics to discover latent threat hiding within noisy alerts Our customer’s IT and security budgets are constantly being slashed, asked to do more with less. Also, it is very difficult to find trained cyber operators with adv. skills i2 has an easy to use analyst UI, as one customer put it: “it takes me 6 months to train an analyst on a SIEM, with i2 and analyst is effective in days”  Structured  Unstructured  Open Source Overwhelming Data Enterprise Level Analysis Asymmetric Threat Budget / Turnover / Skills
  10. 10. 10 IBM Security Concept Value Description Analogy Optimizing Decreasing time to know, prioritizing indicators • Seeing obvious issues from different angle • Creating efficiencies in other tools/domains • Tuning alerts to appropriate threshold • Understanding most important alerts • Connecting multiple events and alerts Force Multiplier Understand trends and patterns, indicators • Discover patterns and trends over time • Direct valuable resources for max impact • Automate ingest, searches, functions • Tip other collection sources using intel • Pinpoint problem areas with analytics Predicting Taking advantage of anomalies, preempting adversary action • Advanced differentiated information • Using indicators to predict adv. Action • Discovering anomalies as key indicators • Stopping adversary before reaching goal • Understanding trends and how they impact Intelligence Concepts are a Spectrum of Value Alert Fatigue Border Protection Market Prediction
  11. 11. 11 IBM Security Key Differentiators of i2 vs. Other Security Products For Advanced Users Tier 3, Threat Hunters We Do Investigations Human in the Loop Non-Cyber Datasets Physical, HR, Dark Web Complexity Of Data Volume Of Data Start with the Unknown Complexity Of Data Volume Of Data Security Operations Hunting Start with the Known
  12. 12. 12 IBM Security What is an Unknown Unknown Search Offense 1 Offense Property b Offense Property a Offense Property f Offense 1 Offense Property i Offense Property c Offense Property d Offense Property e Offense Property h Offense Property g Ask the question: “show me which offenses share the same property” – you don’t know the subset of offenses, not the subset of properties to search
  13. 13. 13 IBM Security Using the power of i2… Specific Hunting Scenario Ask the question: “Find the person who…..”  Is part of a specific organization  Is associated with with a monetary transaction  Who also made a call on a certain date  Who also came up in an alert  Which was also associated with an extracted document  Who also is associated with a vehicle tag  Which was seen in on a surveillance camera at night Imagine the scenario: • Investment bank wants to know if any insiders are committing fraudulent trades • The person would be sophisticated and perhaps changing terminals and logins • The person would also come in on the night shift to cover what they are doing This is Very Difficult! • Data from multiple domains and silos • Challenging to correlate facts in the case • Existing security tools are too niche use
  14. 14. 14 IBM Security What is Needed to Conduct Threat Hunting SOC & SIEMThreat Intelligence Intelligence Analysis ToolsStatistical Analysis Foundational Data Organization + Discovery Known Indicators Anomaly Detection i2 Intelligence Area of Expertise
  15. 15. 15 IBM Security What is i2 Intelligence? Analyst Workbench Enterprise Server Network & Link Analysis Transactional Timelines Analytical Tools Geospatial Integration  Out-of-the-box analytics & visualization that help find and track adversaries in both the government and private sector  Intuitive UI design used by 1,000’s of analysts for over 25+ years which greatly speeds up investigation with efficiency  Create products for decision making or to provide evidence of criminal behavior or as visual aids during an investigation  Combine all internal & external data sources into a single object model in order to understand multi-dimensional data  Advanced searching to quickly expand on an investigation by allowing the analyst to “pivot” a search on any variable  Deep server-side analytics that allow presentation of non-obvious relationships and data patterns to the analyst “Front End” Structured Semi-Structured Unstructured “Back End” Entity, Link, Property (ELP) Format DataIngestion Enterprise Server
  16. 16. 16 IBM Security Threat Hunting Platform Structure
  17. 17. 17 IBM Security Announcing New App: i2 QRadar Offense Investigator app via IBM Security App Exchange Triage Analysis Block and Tackle QRadar i2 Analyst’s Notebook Analyst can select specific offenses with an integrated “i2 button” Offenses and connected data pushed into i2 ANB QRadar Plugin Data can be pulled into i2 ANB through the QRadar API Offense Correlation Hunt Investigations Cyber Analyst Tom with QRadar App Tier 3 or “Hunt” Analyst:  Proactive threat analysis  Looks for trends, anomalies  Uses SIEM and analysis tool Value of i2 threat hunting for QRadar app:  Greatly increase efficiency of investigation  Automatically enrich offences within i2 Analyst’s Notebook  Simplifies and accelerates sales cycle generated by the IBM Security sales team  Shows “out-of-the-box” integration with IBM Security products, specifically QRadar
  18. 18. 18 IBM Security Screenshot
  19. 19. 19 IBM Security Example Analysis Tools Over QRadar Data • Network Analytics • Bar Charts and Histograms • Copy to Timeline • List Most Connected • Find Connecting Network • Activity View
  20. 20. 20 IBM Security Understanding Workflow Between Analysts Foundational Security Data Watson for Cyber Security Physical Security Data QRadar Cyber Corpus QRadar Advisor IBM i2 Geospatial Data Non-Traditional Data Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Triage Awareness Alerting Initial Analysis Offense Review Visibility Aggregation Detection Monitoring Vulnerability Mngt Enrichment Alerting Increased Accuracy Hypothesis Generation Speed Up Investigation Context Enhancement Event Visualization All Source Data Analysis Deep Investigation Mathematical Model Analysis ELP Searching Advanced Data Queries Active Visualization
  21. 21. 21 IBM Security A large North American custody bank gained valuable insight from correlating multiple low-level offenses 5,000:1 Reduction in event analysis Hours to Seconds Decreased investigation time with the ability to correlate multiple low-level events to identifiers Business challenge  Visually understand how multiple low-level SIEM alerts fit together, on a daily basis. See how individual identifiers (e.g. IP, machine name, etc) can come up on multiple events IBM Security i2 EIA Gained superior visualization of interconnectivity and correlation among incidents, realizing a 5,000:1 decrease in event analysis and a significant decrease in investigation time from hours to seconds Connecting the dots
  22. 22. 22 IBM Security A UK based saving and loan bank greatly increases the effectiveness of fraud investigations 80% Decrease Business challenge  Analysts spent days on fraud investigations, crawling through spreadsheets  Had to manually create diagrams once reaching a conclusion to share with law enforcement IBM Security i2 EIA Accelerates investigations by up to 80%, eliminates hours of spreadsheet-based analysis by presenting data visually and helps analysts tackle complex investigations without impacting normal operations In time to complete investigations Minimize Risk and catch more criminals, sharing with LE Finding Fraud Faster
  23. 23. 23 IBM Security CustomerUse Case Mapping Chief Risk & Compliance Officer CISO CSO Investigations • Threat Hunting Incident Investigations Event Correlation • Campaign Tracking Intel Report Production • Threat Discovery Watchlists Vetting SOC Use Cases Threat Intel Use Cases Insider Threat Use Cases • Political Unrest Assessments Building Threat Assessments Theft Investigations • Stakeholder Threat Assessment Reputation Investigation • Area Threat Assessment Event Threat Assessment Physical Security Use Cases VIP Protection Use Cases Travel Risk Use Cases • Privilege Misuse Money Laundering Insider Trading • Account Takeover Organized Crime Investigation • Insurance Fraud Complex Fraud Investigation Internal Fraud Use Cases External Fraud Use Cases SIU Use Cases
  24. 24. 24 IBM Security i2 WW and Geo Sales Leadership Will Martin - NA i2 Offering Management Leadership i2 WW Technical Leadership Jon Whitman - WW Akiba Saeedi Bob ThimsenBob Stasio Where You can Find the i2 Intelligence Team David Waxman Julian Midwinter - EURHarry McCue - GM Steve Dalzell Mike Kehoe - WW IBM and Partner Use Only
  25. 25. © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions FOLLOW US ON: THANK YOU

×