Security intelligence involves analyzing all available security data sources in an organization to generate actionable information. It is essential due to increasingly sophisticated attacks, disappearing network perimeters, and security teams facing high volumes of data with limited resources. IBM's QRadar security intelligence platform provides automation, integration, and intelligence to help organizations optimize security through advanced threat detection, compliance, and eliminating data silos. It uses embedded intelligence to identify true security incidents from massive amounts of data through automated collection, analysis, and reduction. Virtual appliances are available in different models and capacities to support SMBs and enterprises.
IBM® QRadar® QFlow Collector integrates with IBM QRadar SIEM and flow processors to provide Layer 7 application visibility and flow analysis to help you sense, detect and respond to activities throughout your network. This combined solution, powered by the advanced IBM Sense Analytics Engine™, gives you greater visibility into network activity to better detect threats, meet policy and regulatory compliance requirements, and minimize risks to mission-critical services, data and assets.
This IBM QRadar training is designed for security analysts, security technical architects, offense managers, network administrators, and system administrators using QRadar SIEM.
IBM Security QRadar SIEM is a tech platform developed by IBM to provide a 360-degree overview of an organization’s security system.
QRadar normalizes events that come from a security system’s log sources and correlates them according to certain rules configured in QRadar.
IBM QRadar collects log data from an enterprise, network devices, host assets, operating systems, applications, vulnerabilities, user activities and behaviors.
IBM QRadar performs real-time analysis of the log data and network flows to identify malicious activity so it could be stopped quickly, preventing or minimizing damage to an organization.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
SIEM (Security Information and Event Management)Osama Ellahi
In this presentation we cover basic knowledge about siem .
-What is siem
-How It works
-Siem Process
-Siem capabilities
-Some snaps of VARNOIS(Tools that use for getting logs"LOGS aggregation" and then apply some machine algorithms to see about logs that logs are risky OR not).
There are a lot of others vendors also who provided the tools for information and event management.like QRADAR is also one of the best tool by IBM.
IBM® QRadar® QFlow Collector integrates with IBM QRadar SIEM and flow processors to provide Layer 7 application visibility and flow analysis to help you sense, detect and respond to activities throughout your network. This combined solution, powered by the advanced IBM Sense Analytics Engine™, gives you greater visibility into network activity to better detect threats, meet policy and regulatory compliance requirements, and minimize risks to mission-critical services, data and assets.
This IBM QRadar training is designed for security analysts, security technical architects, offense managers, network administrators, and system administrators using QRadar SIEM.
IBM Security QRadar SIEM is a tech platform developed by IBM to provide a 360-degree overview of an organization’s security system.
QRadar normalizes events that come from a security system’s log sources and correlates them according to certain rules configured in QRadar.
IBM QRadar collects log data from an enterprise, network devices, host assets, operating systems, applications, vulnerabilities, user activities and behaviors.
IBM QRadar performs real-time analysis of the log data and network flows to identify malicious activity so it could be stopped quickly, preventing or minimizing damage to an organization.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
SIEM (Security Information and Event Management)Osama Ellahi
In this presentation we cover basic knowledge about siem .
-What is siem
-How It works
-Siem Process
-Siem capabilities
-Some snaps of VARNOIS(Tools that use for getting logs"LOGS aggregation" and then apply some machine algorithms to see about logs that logs are risky OR not).
There are a lot of others vendors also who provided the tools for information and event management.like QRADAR is also one of the best tool by IBM.
Today’s networks are larger and more complex than ever before, and
protecting them against malicious activity is a never-ending task.
Organizations seeking to safeguard their intellectual property, protect
their customer identities and avoid business disruptions need to do more
than monitor logs and network flow data; they need to leverage advanced
tools to detect these activities in a consumable manner.
Database monitoring - First and Last Line of Defense Imperva
In the battle to defend your data you have an edge over the hacker that can prevent or minimize the damage of a database breach. You have the advantage of operating within your own environment and can deploy automated surveillance capabilities to watch sensitive data. When a hacker breaches the firewall or compromises a privileged user they are beyond the reach of most security measures. Only a data centric solution that directly monitors data access will be able to spot and stop the abnormal activity.
View this presentation to learn how SecureSphere data protection solutions can help you improve your security profile and protect your company against a database breach.
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected.
Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like:
Insider attacks
Alert and console fatigue
Shortage of security staff
Misconfigurations
Excessive access
By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.
Security information and event management (SIEMS) tools provide a robust collection of data sources that can help companies take a more proactive approach to preventing threats and breaches.
However, implementing a SIEM often brings the challenges of a lengthy implementation, costly investment and the need for skilled security analysts to maintain it. Also, many SIEMs have been used in on-premise data centers, so what steps will you need to take if you want your SIEM to move with your data into the cloud?
Database surveillance can protect data, simplify compliance audits and improve visibility into data usage and user behavior. Walk through these slides to learn:
• The benefits of database monitoring over native audit tools
• Factors to consider before investing in database audit and protection
• Three specific ways to leverage database monitoring for improved security
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.
Top Five Security Must-Haves for Office 365Imperva
Whether you’ve already deployed Office 365 or have plans to, security considerations around moving your business-critical apps to the cloud are paramount. From Exchange, Yammer, and SharePoint to OneDrive and the Administrator Portal, monitoring activity and securing access is critical to mitigating threats and protecting confidential data.
Exploding data growth doesn’t mean you have to sacrifice data security or compliance readiness. The more clarity you have into where your sensitive data is and who is accessing it, the easier it is to secure and meet compliance regulations.
Walk through this presentation to learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse data environments
- Simplify compliance enforcements and reporting
- Take control of escalating costs.
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
As much as 50% of the traffic hitting websites comes from known bad actors. This traffic can cause as much as 90% of security events, overwhelm security engineers and obscure the truly scary events that need further investigation. Imperva SecureSphere ThreatRadar proactively filters traffic from known bad actors so security teams can focus on what matters most. View this webinar and learn how to make your security engineering team more productive, Improve security and website infrastructure efficiency, and reduce risk and improve overall security posture.
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
Mitigating the Top 5 Cloud Security ThreatsBitglass
By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud?
Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.
Security O365 Using AI-based Advanced Threat ProtectionBitglass
Office 365 has garnered widespread adoption from enterprises due to its advantages such as ease of deployment, lower TCO, and high scalability. Additionally, it enables end-users to work and collaborate from anywhere and on any device. Although Office 365 enables IT to shift the burden for app and infrastructure to the cloud vendor, data security remains the responsibility of the enterprise. Given the limitations of native malware protection on Office 365, should the enterprise rely on Office 365 to protect their data from malware and ransomware?
Join Bitglass and Cylance for a discussion on malware protection solutions for Office 365. We will cover the limitations of native Office 365 malware protection as well as the benefits of AI and machine learning based approaches. We will wrap up the session by discussing how CASBs, with Advanced Threat Protection (ATP) capabilities, are uniquely positioned to protect cloud apps and end-points from malware attacks and proliferation.
Today’s networks are larger and more complex than ever before, and
protecting them against malicious activity is a never-ending task.
Organizations seeking to safeguard their intellectual property, protect
their customer identities and avoid business disruptions need to do more
than monitor logs and network flow data; they need to leverage advanced
tools to detect these activities in a consumable manner.
Database monitoring - First and Last Line of Defense Imperva
In the battle to defend your data you have an edge over the hacker that can prevent or minimize the damage of a database breach. You have the advantage of operating within your own environment and can deploy automated surveillance capabilities to watch sensitive data. When a hacker breaches the firewall or compromises a privileged user they are beyond the reach of most security measures. Only a data centric solution that directly monitors data access will be able to spot and stop the abnormal activity.
View this presentation to learn how SecureSphere data protection solutions can help you improve your security profile and protect your company against a database breach.
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected.
Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like:
Insider attacks
Alert and console fatigue
Shortage of security staff
Misconfigurations
Excessive access
By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.
Security information and event management (SIEMS) tools provide a robust collection of data sources that can help companies take a more proactive approach to preventing threats and breaches.
However, implementing a SIEM often brings the challenges of a lengthy implementation, costly investment and the need for skilled security analysts to maintain it. Also, many SIEMs have been used in on-premise data centers, so what steps will you need to take if you want your SIEM to move with your data into the cloud?
Database surveillance can protect data, simplify compliance audits and improve visibility into data usage and user behavior. Walk through these slides to learn:
• The benefits of database monitoring over native audit tools
• Factors to consider before investing in database audit and protection
• Three specific ways to leverage database monitoring for improved security
In de praktijk blijkt het vaak lastig te bepalen welke risico’s een organisatie loopt en wat daarvoor een passend beveiligingsniveau is. Deze kennis is echter wel noodzakelijk om de juiste maatregelen te nemen en effectief in informatiebeveiliging te investeren. Pinewood organiseerde op 12 december 2012 in samenwerking met McAfee een seminar die hierop inspeelde. Handige tools zoals Risk Management en McAfee Nitro (het SIEM product van McAfee) en de pragmatische aanpak van Pinewood bieden concrete handvatten en inzicht om tot een effectief informatiebeveiligingsbeleid te komen.
Top Five Security Must-Haves for Office 365Imperva
Whether you’ve already deployed Office 365 or have plans to, security considerations around moving your business-critical apps to the cloud are paramount. From Exchange, Yammer, and SharePoint to OneDrive and the Administrator Portal, monitoring activity and securing access is critical to mitigating threats and protecting confidential data.
Exploding data growth doesn’t mean you have to sacrifice data security or compliance readiness. The more clarity you have into where your sensitive data is and who is accessing it, the easier it is to secure and meet compliance regulations.
Walk through this presentation to learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse data environments
- Simplify compliance enforcements and reporting
- Take control of escalating costs.
Security Meetup Scotland - August 2017 (Deconstructing SIEM)Harry McLaren
There are many misconceptions about what a SIEM is and why they should still be the heart of an operational capability when it comes to security controls and monitoring. This topic will outline what makes a powerful SIEM and why creating it yourself is increasingly challenging. We'll explore the frameworks at the heart of a SIEM and how Splunk has developed Enterprise Security with these in mind; finishing with some general lessons learned for SIEM implementation projects.
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
As much as 50% of the traffic hitting websites comes from known bad actors. This traffic can cause as much as 90% of security events, overwhelm security engineers and obscure the truly scary events that need further investigation. Imperva SecureSphere ThreatRadar proactively filters traffic from known bad actors so security teams can focus on what matters most. View this webinar and learn how to make your security engineering team more productive, Improve security and website infrastructure efficiency, and reduce risk and improve overall security posture.
Security Information and Event Management (SIEM)hardik soni
Leo TechnoSoft SIEM products help's every enterprise with all security threats. Security information and event management software provides real-time visibility.
Mitigating the Top 5 Cloud Security ThreatsBitglass
By now you are likely familiar with Cloud Access Security Brokers (CASBs) and understand how they fit into your broader security and cloud strategy. What should organizations be looking for in a CASB? What capabilities are here or on the horizon that can provide improved data protection in the cloud?
Bitglass and (ISC)2 presents the final episode of the CASB series where we will examine where cloud security is headed, discussing agentless and agent-based solutions, the growing number of cloud apps in use and the importance of easy deployment. Learn why cross-app security will become increasingly valuable as organizations look to third-party solutions for deep visibility, behavior analytics, and more.
Security O365 Using AI-based Advanced Threat ProtectionBitglass
Office 365 has garnered widespread adoption from enterprises due to its advantages such as ease of deployment, lower TCO, and high scalability. Additionally, it enables end-users to work and collaborate from anywhere and on any device. Although Office 365 enables IT to shift the burden for app and infrastructure to the cloud vendor, data security remains the responsibility of the enterprise. Given the limitations of native malware protection on Office 365, should the enterprise rely on Office 365 to protect their data from malware and ransomware?
Join Bitglass and Cylance for a discussion on malware protection solutions for Office 365. We will cover the limitations of native Office 365 malware protection as well as the benefits of AI and machine learning based approaches. We will wrap up the session by discussing how CASBs, with Advanced Threat Protection (ATP) capabilities, are uniquely positioned to protect cloud apps and end-points from malware attacks and proliferation.
Clustering CDS: algorithms, distances, stability and convergence ratesGautier Marti
Talk given at CMStatistics 2016 (http://cmstatistics.org/CMStatistics2016/).
The standard methodology for clustering financial time series is quite brittle to outliers / heavy-tails for many reasons: Single Linkage / MST suffers from the chaining phenomenon; Pearson correlation coefficient is relevant for Gaussian distributions which is usually not the case for financial returns (especially for credit derivatives). At Hellebore Capital Ltd, we strive to improve the methodology and to ground it. We think that stability is a paramount property to verify, which is closely linked to statistical convergence rates of the methodologies (combination of clustering algorithms and dependence estimators). This gives us a model selection criterion: The best clustering methodology is the methodology that can reach a given 'accuracy' with the minimum sample size.
Clustering Financial Time Series using their Correlations and their Distribut...Gautier Marti
We have designed a distance that takes into account both the correlation between the time series and also the distribution of the individual time series. A tutorial with Python code is available: https://www.datagrapple.com/Tech/GNPR-tutorial-How-to-cluster-random-walks.html
This talk was given at the Paris Machine Learning Meetup.
On the stability of clustering financial time seriesGautier Marti
Talk at IEEE ICMLA 2015 Miami
In this presentation, we suggest some data perturbations that can help to validate or reject a clustering methodology besides yielding insights on the time series at hand. We show in this study that Pearson correlation is not that relevant for clustering these time series since it yields unstable clusters; prefer a more robust measure such as Spearman correlation based on rank statistics.
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
View ondemand webinar: https://securityintelligence.com/events/qradar-investment-2016/
Helping you stay ahead of cybercriminals means our work at IBM Security is never done. With data coming from every direction to collect, you need real time and historical analytics to discover anomalistic conditions that often provide the early warning signs of an attacker’s presence. Join us to hear about new features in IBM Security QRadar that can provide you with better visibility into what’s happening on your network and new integrations that will help you multiply your investment and help speed your remediation efforts.
This presentation shows customers how IBM Security products and services help clients transform their security program, orchestrate their defenses throughout the attack lifecycle, and protect their most critical information and risks.
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
SIEM technology has been around for years and continues to enjoy broad market adoption. Companies continue to rely on SIEM capabilities to handle proactive security monitoring, detection and response, and regulatory compliance. However, with today’s staggering volume of cyber-security threats and the number of security devices, network infrastructures and system logs, IT security staff can become quickly overwhelmed.
Gartner projects that by 2020:
-- 50% of new SIEM implementations will be delivered via SIEM as a service.
-- 60% of all advanced security analytics will be delivered from the cloud as part of SIEM-as-a-service offerings.
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
Attackers are using increasingly sophisticated methods to access your most sensitive data, and at the same time cloud, mobile and other innovations expand the perimeter you need to protect. This keynote discusses how to build a more secure enterprise with real-time analytics and behavior-based activity monitoring.
Advanced Security Intelligence tools store, correlate and analyze millions of events and flows daily to identify critical incidents your security team needs to investigate. The volume, variety and velocity involved clearly defines Security as a “Big Data challenge.”
Learn how advanced predictive analytics and incident forensics help defend against advanced attacks and respond to and remediate incidents quickly and effectively.
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
Watch this on-demand webast to learn how to acheive security compliance with AlienVault Unified Security Management (USM): https://www.alienvault.com/resource-center/webcasts/how-to-solve-your-top-it-security-reporting-challenges-with-alienvault?utm_medium=Social&utm_source=SlideShare&utm_campaign=solve-it-compliance-usm-webinar
Learn how you can take your on-premises and cloud security to the next level with a free online demo at: https://www.alienvault.com/products/usm-anywhere/demo?utm_medium=Social&utm_source=SlideShare&utm_campaign=solve-it-compliance-usm-webinar
A New Remedy for the Cyber Storm ApproachingSPI Conference
Security has become a hot topic for all of us to consider. We share your concerns and have brought in an industry leader from IBM to discuss it with you. Presented by Joe Daw (Cybersecurity Architect, IBM) at the 2016 SPI Conference.
IBM Security Strategy Intelligence, Integration and Expertise
by Marc van Zadelhoff, VP, WW Strategy and Product Management and Joe Ruthven IBM MEA Security Leader
IBM: Cognitive Security Transformation for the Enrgy SectorFMA Summits
We encourage the energy sector to think about their security imperatives across IT and OT in a more organized fashion. Structured and centered around a core discipline of security analytics and services. This core is enabled by cognitive intelligence that continuously learns the many variables within IT and Operations domains.
IBM i Security: Identifying the Events That Matter MostPrecisely
Making Sense of Critical Security Data
Today’s world of complex regulatory requirements and evolving security threats requires finding simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time and produce clear reports.
The IBM i operating system produces a wealth of security-related information but organizations still face hurdles
in terms of working with such large data volumes. Integrating IBM i security information into a SIEM (Security Information and Event Management) solution is becoming critical to enable early detection and quick response to security incidents.
In this webinar, we will discuss:
- Key IBM i log files and static data sources that must be monitored
- Automating real-time analysis of log files to identify threats to system and data security
- Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms
Mitigate attacks with IBM BigFix and QRadar.
1) Cyber security today.
2) BigFix and QRadar SIEM tighten endpoint security.
3) New! - BigFix plus QRadar close the risk management loop.
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadarIBM Security
view on demand: https://securityintelligence.com/events/dont-drown-in-a-sea-of-cyberthreats/
Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritize risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.
Join this webinar and learn how IBM BigFix seamlessly integrates with IBM QRadar to provide accelerated risk prioritization and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.
Big fix and Qradar will tighten endpoint security and avoid hackers threats offering the clients an integrated threat protection, enabling automated offense identification and continuous security configuration enforcement.
2. Qué es Security Intelligence?
Security Intelligence
Información accionable, derivada del análisis de
todas las fuentes de datos de Seguridad disponibles
de una organización.
3. Por que Security Intelligence es Esencial?
Escalating Threats Increasing Complexity Resource Constraints
• Increasingly sophisticated
attack methods
• Disappearing perimeters
• Accelerating security
breaches
• Constantly changing
infrastructure
• Too many products from
multiple vendors; costly
to configure and manage
• Inadequate antivirus products
• Struggling security teams
• Too much data with limited
manpower and skills to
manage it all
Spear Phishing
Persistence
Backdoors
Designer Malware
5. La forma mas rápida, integrada y automática posible
para alcanzar Security Intelligence:
AUTOMATION
INTEGRATION
IBM QRadar
Security Intelligence
Platform
Correlation, analysis and massive data reduction
Driving simplicity and accelerating time-to-value
Unified architecture delivered in a single console
INTELLIGENCE
6. Security Intelligence platform that enables
security optimization through advanced threat
detection, meet compliance and policy demands
and eliminating data silos
Portfolio Overview
QRadar Log Manager
• Turnkey log management for SMB and Enterprises
• Upgradeable to enterprise SIEM
QRadar SIEM
• Integrated log, flow, threat, compliance mgmt
• Asset profiling and flow analytics
• Offense management and workflow
Network Activity Collectors (QFlow)
• Network analytics, behavior and anomaly detection
• Layer 7 application monitoring
QRadar Risk Manager
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat and impact analysis
QRadar Vulnerability Manager
• Integrated Network Scanning & Workflow
• Leverage SIEM, Threat, Risk to prioritize
vulnerabilities
QRadar Incident Forensics
• Reconstruct raw network packets to original format
• Determine root cause of security incidents and help
prevent recurrences
QRadar Product Portfolio
7. Intelligence: Embedded intelligence to find true offenses
Servers and mainframes
Network and virtual activity
Application activity
Data activity
Configuration information
Vulnerabilities and threats
Users and identities
Global threat intelligence
Security devices
Extensive Data Sources …Suspected Incidents
• Automated data collection,
asset discovery and profiling
• Automated, real-time,
and integrated analytics
• Massive data reduction
• Activity baselining
and anomaly detection
• Out-of-the box rules
and templates
Embedded Intelligence
True Offenses
Automated
Offense
Identification
8. Automático: Simplicidad y aceleración al valor para el negocio
Descubre
components de RED
Proactive vulnerability scans,
configuration comparisons,
and policy
compliance checks
Implementación
Simple
Automated configuration
of log data sources
and asset databases
Actualiza
Automaticamente
Stay current
with latest threats,
vulnerabilities,
and protocols
Reglas y
Reportes de
fabrica
Reduce incident
investigations and
meet compliance
mandates
9. SIEM / LM Virtual Appliance
Model Initial Capacity Capacity Increase1
SIEM All-in-1 Virtual Appliance
3190
100 EPS
15K Flows
100 EPS incremental increase to 500, then to 1,000, and then to 2500 or
5000 EPS
Flow increase to 25K, 50K, 100K, 200K Flows
SIEM Console Virtual Appliance
3190
Not applicable Not applicable
SIEM Event Processor Virtual
Appliance 1690
100 EPS 100 EPS incremental increase to 500, then to 1,000, 2500, and then 2500
EPS incremental increase, up to 10,000 EPS
SIEM Flow Processor Virtual
Appliance 1790
15K Flows to 25K, 50K, then 100K Flow incremental increase, up to 600K Flows
SIEM Event Collector Virtual
Appliance 1590
Not applicable Not applicable
SIEM QFlow Collector Virtual
Appliance 1290
Not applicable Not applicable
SIEM Data Node Virtual Appliance
14904
Not applicable Not applicable
Log Manager All-in-1 Virtual
Appliance 3190
100 EPS 100 EPS incremental increase to 500, then to 1000, then to 2500 or 5000
EPS
Log Manager Console Virtual
Appliance 3190
Not applicable Not applicable
Log Manager Event Processor
Virtual Appliance 1690
100 EPS 100 EPS incremental increase to 500, then to 1,000, 2500, and then 2500
EPS incremental increase, up to 10,000 EPS
Several years ago, we introduced the term “Security Intelligence” to describe the value organizations can gain from their security data. It’s a notion that’s similar to Business Intelligence, in that both initiatives can treat and analyze great volumes of data to great advantage for today’s businesses . . . Where Business intelligence reaps benefits that help focus a company’s marketing and sales efforts, Security Intelligence allows highly focused security awareness and protection.
They say imitation is the sincerest form of flattery, and our competition is flattering us, because the term Security Intelligence has really caught on!
We’re also seeing this term being used more and more by customers, vendors, pundits and industry experts - but what’s interesting is that when they use it, there’s some haziness that they introduce into it, in terms of exactly what they’re talking about.
To avoid confusion, we are explicitly stating our own definition. So here it is:
Security Intelligence is actionable information derived from the analysis of all security-related data available to an organization.
So . . . We’re talking about data . . . What data exactly is it exactly that we’re talking about? It’s typically volumes and volumes of data, and there’s a lot to it -- logs, events, network flows, user identities and activities, asset profiles and locations, vulnerabilities, asset configurations and external threat data. Data, data and more data. The good news? As you’ll see, IBM’s Security Intelligence platform was built from the start with this focus on handling tremendous amounts of data. It is well architected and can be scaled in a simple/straightforward manner to meet the needs of customers regardless of their size of the extremes of the data that needs analyzing.
IBM’s Security Intelligence Platform provides analytics to answer fundamental questions that cover the full “before-during-and-after” timeline of risk and threat management.
You may still hear of customers who say they want a Security Operations Center or SOC. They may want tools to support a 24x7 center that has the absolute requirement to stay on top of the status of their operational environment and to understand and even anticipate attacks, breaches, penetrations, whatever . . . to allow the business to remediate any such problems and to do it efficiently. Well . . . think of IBM’s Security Intelligence QRadar offerings as a Security Operations Center on steroids . . . By the time I finish this presentation, you should have an appreciation for why I say that
. . . But let’s start at the beginning . . . Let’s look at the challenges customers talk to us about, always with goals like protecting their operational environment and clearly understanding the status and the effectiveness of the IT security capabilities they have in place, at any given point in time.
It’s great to be selling IT security . . . Because the need for useful and insightful tools is more pronounced now than ever before. And as a security seller, you benefit from the facts that threats are escalating, IT environments are growing in complexity and our customers’ security teams are pressured to deal with everything they need to deal with, in order to try to keep their operational environments safe.
The escalating threats are reported on all the time . . . And these shocking stories become motivation for boards of directors to take security more and more serious as a topic from year to year. We hear about this things daily . . . Attacks involving Organized crime, espionage, hacktivists, social engineering . . . Just recently, there have been attacks on the international department store Target, attacks on governments, by governments . . . And this is story is ever on the rise.
As far as complexity goes, we understand that the growing complexity (mobile, cloud, social and beyond) only add to the need for better protection. There are more areas where data needs to be protected, there are new technologies that need to be protected from new types of attacks . . . And on top of all of this we know there are resource constraints when it comes to IT Security . . . that there’s a gap between the level of needs that businesses have today for good security-skilled staff and the people who are available and able to fill those jobs.
The bottom line really comes in the form of a question . . . How many businesses today can say that they are immune to all of this? Let’s face it . . . Everyone’s being attacked and no one is immune to the pressures being described on this chart.
To protect against attacks, there are a good number of metrics that have been added to the systems, appliances and applications making up today’s computing environments. Metrics in the form of audit logs, alerts and events . . . And there’s a tremendous amount of information contained in all the flows that are bouncing around all the time.
So, think about the volume of log records and events that get generated daily, in any reasonably sized IT shop today. Imagine you are the person in that IT shop who’s responsible for analyzing the incoming data and you’re measured on how well you understand the security status of that IT shop,
how quick you are to react to real problems versus the “noise” that kind of predominates the high number of inputs coming in.
Do you really want that job? I mean How do human beings deal with those kinds of volumes? We know, for example, that a top 5 energy company in the United States – a current QRadar customer of ours -- is generating more than 2 billion log records every day . . . Do you really want to be the manager or be in the department responsible for determining which of those bits of information flying by is really critical, which ones relate to one another and maybe form the basis for a major concern that your IT shop is under attack?
It’s this kind of understanding that companies are striving for . . .
That understanding is the security intelligence we talk about. But expecting a human beings or team of human beings to be able to do this manually is totally impractical. What’s needed is a tool that automates this analysis and can find not just the needles in the haystack, but can draw significant connections among the needles and evaluate them in terms of their danger to the business.
That’s where QRadar comes into the picture. The 3 key theme words for QRadar as a Security Intelligence platform are Intelligence, Integration and Automation.
Intelligence refers to QRadar being able to not only discern threats but to determine their impacts. QRadar takes in huge amounts of security data and identifies anomalies. It helps customers both after an exploit has occurred and beforehand . . . Proactively . . . to help them minimize the possibilities of exploits occurring and to help prevent serious damage from happening.
QRadar is truly integrated, based on all the components of the solution having a common architecture. It helps customers bring together analytics that previously were in separate silos (and therefore were not able to be correlated). The QRadar “single pane of glass” brings it all together for the various admin, auditor and analyst users of QRadar. And the integrated architecture means QRadar is highly scalable . . . offering customers the flexibility and adaptability that today’s security operations centers require.
Finally, automation refers to QRadar being a solution that has been architected to deal with large volumes of data . . . it’s easy to deploy, and it delivers immediate and obvious benefits when it’s initially deployed and over time, it can easily expand to meet future growth. And the automation that’s delivered with QRadar offers dramatic efficiencies in how quickly security administrators and analysts can accomplish their tasks.
For security threat management the key challenge is to reduce millions of logs down to actionable intelligence that identifies key threats.
Traditional first Generation SIEMs achieve this by leveraging correlation – so ‘five failed logins followed by a successful login’ as a simple example – and the correlation helps identify suspected security incidents. Event correlation is a very, very important tool, but it’s not enough.
There are two problems. First, consider a 100,000 to 1 reduction ratio of events to correlated incidents. On the surface, this sounds impressive, but for companies generating 2 billion events per day (and you don’t need to be a massive company to do that), it will leave that company’s security team with 20,000 incidents per day to investigate. Traditional SIEM correlation can’t get the data reduced enough and of course Log Managers can’t even get a 10,000 to 1 reduction ratio.
The 2nd problem is that relying exclusively on event correlation assumes that the criminals who are intent on attacking your company won’t figure out ways to disable or bypass logging infrastructure – but let’s face it . . . that’s practically their entire focus and when they erase the logs, you’re in trouble . . . because you can’t correlate logs that aren’t there!
This limitation results in missed threats or a very poor understanding of the impact of a breach.
QRadar vastly expands the capabilities of traditional SIEMs by incorporating new analytics techniques and broader intelligence. Unlike any other SIEM in the market today, QRadar captures all activity on the network for assets, users and attackers before, during, and after an exploit . . . and it analyzes all suspected incidents in this context. QRadar uses analytical techniques such as activity baselining and anomaly detection. It notifies analysts about ‘offenses’ . . . Where an “offense” is a correlated set of incidents with all of the essential, associated network, asset, vulnerability and identity context. By adding business and historical context to suspected incidents and applying new analytic techniques, massive data reduction is realized and threats otherwise missed will be detected.
QRadar has an impressive list of over 400 data sources for log and audit data, and there are many examples of customers achieving results that are in line with what is portrayed on this slide . . . That is, volumes of data from many, many data sources that is reduced down to a reasonable number of true offense possibilities that can be focused on for investigation . . . the classic example being a Fortune 100 energy company in the U.S. that typically experiences more than 2 billion log records being generated each day, and with QRadar, they’re able instead to just take a look at QRadar’s display of in the neighborhood of 25 or so high priority offenses.
As anyone in security knows, any portfolio of security offerings is only as good as how current the research is that’s feeding into it. Consider that there are on average 7,000 vulnerabilities reported each year, which means there are many new ones every day. IBM differentiates its Security Intelligence capabilities by offering an X-Force Threat Intelligence feed that includes vulnerabilities, known bad URLs, histories of past attacks, etc.
QRadar employs a number of threat and security sources to provide external security context and geographical context. This is integrated into all views and capabilities within the product. Sources include but are not limited to:
*IBM's X-Force Intelligence Threat Feed (via subscription) based on the real-time monitoring of 13 billion security events per day, on average, for nearly 4,000 clients in more than 130 countries.
*Geographic inputs from Maxmind
*Top Targeted Ports, botnets, emerging threats, and other lists of botnets, hostile nets and so on.
These services are updated out to our customers through a free auto-update service. This update service also includes updates for event mappings, vulnerability mappings, applications mappings, new Device Support Modules and updates.
A lot of work has gone into making QRadar’s Security Intelligence tasks as automated as possible.
When you add it up, it’s an impressive list. There’s simplified deployment that helps deliver quick time to value for customers
. . . There’s “passive flow asset detection” populating QRadar’s asset database and allowing policy compliance checks and analysis of configurations to take place
. . . . There are out-of-the-box rules and reports that are a key part of QRadar. These have the goal of reducing incident investigations and helping customers meet compliance mandates.
Customers appreciate the simplicity delivered by this well thought-through solution. Contrast this story we can tell with many of our competitors, where they are essentially selling toolkits and high-tech tools for high-tech people. The toolkit approach puts the onus on the customer to wring the value out of the provided tools by customizing them or paying significant sums of money to have them customized.
Finally, QRadar’s Security Intelligence Platform stays current, through daily and weekly automated updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures . . . and via immediate discovery where when an asset connects to the network, that triggers proactive vulnerability scans, configuration comparisons and policy compliance checks.
Like the title of this slide says, this drives simplicity and accelerates time to value.
Made available with 7.2 MR1: Virtual Appliance’s maximum capacity increased (to be close to Appliance and Software)
The managed entitlement process can be used to convert AIO to Console and transfer EPS/Flows.
Handling software trade-up request by selling SIEM Virtual Appliance and offer a deeper discount.
Made available with 7.2.2: Data Node