Extend Your Market Reach with IBM Security QRadar for MSPs

© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
IBM SECURITY QRADAR FOR SERVICE
PROVIDERS Extending Market Reach Through Multi-
Tenancy & SaaS
Vijay Dheap
Global Product Manager
QRadar

IBM Security
2
Agenda
 Motivations
 QRadar Multi-Tenancy
 QRadar Master Console
 Security Intelligence on Cloud
 Partnering with IBM

3 © 2014 IBM Corporation
Motivations
Making Security Intelligence Accessible

IBM Security
4
It’s A Not So Friendly Cyber World…and Many are Ill-Equipped
Risks abound and cost continues to grow
Limitations in even grasping an
organization’s security posture
constraints the ability to adapt it…

IBM Security
5
Organizations of All Sizes Plan on Raising their Basic Security IQ
Growing Demand needs to be served by the the Best in Class solution – QRadar and Service
Providers provide not just the reach but also the expertise to onboard and support these
organizations on their security intelligence journey

IBM Security
6
Service Provider Requirements to Serve this Market Demand
 Offer range of security intelligence
capabilities from basic to advanced to meet
diverse spectrum of client needs
• Log Management
• SIEM
• Risk and vulnerability management
• Network, app, and service usage visibility
 Adaptive deployment options depending on
client size and scale
• Dedicated environments for large institutions
• Shared infrastructure for small/mid-size
organizations
 Deliver rapid time-to-value
• Quick deployment
• Built-in intelligence
• Out-of-the-box integrations
 Minimize operational infrastructure costs
and improve staff productivity
• Multi-tenancy
• Cloud delivery options
• Centralized dashboard

IBM Security
7
Helping Service Providers Broaden Reach of Security Intelligence
Service Providers can extend Tier 1 security
intelligence capabilities to small & mid-size
organizations leveraging multi-tenancy
Customer A Customer B Customer C
Customer D
Master Console
Service Providers can gain
centralized visibility to multiple,
diverse QRadar deployments – multi-
tenant, or dedicated
Customer E
Service Providers can either deploy QRadar
in the cloud or resell IBM Security
Intelligence on Cloud Offering to minimize
capital expenditures and offer an operating
expense model for security intelligence for
their customers
NewNew
NewNew
NewNew

QRadar Multi-Tenancy

IBM Security
9
MULTI-TENANT
enables secure, rapid
and cost effective
delivery of security
intelligence services
Multi-Tenant QRadar for Managed Security Service Providers
Scalable appliance
architecture
Shared modular
infrastructure
 New centralized views and incident management
 Mixed single- and multi-tenanted deployment options
 True horizontal, snap-on scalability capabilities
 Extensive APIs for enterprise integration
 System configuration template support
 Cloud ready with support for 400+ out-of-the-box devices
Significant new capabilities
to help Service Providers
bring security to customers
IBM Security QRadar is:
AUTOMATED
drives simplicity and
accelerates time-to-
value for service
providers
SCALABLE
scales from smallest to
largest customers with
centralized management
of single- and multi-
tenanted systems
INTELLIGENT AUTOMATED INTEGRATED

IBM Security
10
Introducing the Domain Concept
Domains are building blocks for multi-tenant QRadar
Allows for segregating overlapping IPs
Enables categorizing sources of security data (ex. events, flows) into different sets
Facilitates monitoring and analysis of one or more subsets to attain granular visibility
Domains can be defined at three levels:
Domain ADomain A Domain BDomain B
Collector-level
Collectors (events or flows) are
used to distinguish among domains
Source-level
Domain ADomain A
Source 1Source 1
Source 2Source 2
Domain BDomain B
Source 3Source 3
Properties-level
Log Source 4Log Source 4
Domain ADomain A
Property iProperty i
Domain BDomain B
Property iiProperty ii
Property iiiProperty iii
Sources (log or flow) possibly
aggregated by the same collector
can be specified as belonging to
different domains
Specific events within a log source
can be associated to various
domains
Increasing Priority

IBM Security
11
Automatic Detection & The Default Domain
When no dedicated event collectors are assigned, new log
sources are automatically detected and assigned to the default
domain allowing Service Provider admin or global admin to make
the domain assignment (if desired)
Prevents data leakage and enforces data separation across
domains
When dedicated event
collectors are assigned to a
unique domain, new log
sources are automatically
detected and assigned to that
domain
Collector-level Source-level
Domain ADomain A
Source 1Source 1
Source 2Source 2
Domain BDomain B
Source 3Source 3
Properties-level
Log Source 4Log Source 4
Domain ADomain A
Property iProperty i
Domain BDomain B
Property iiProperty ii
Property iiiProperty iii

IBM Security
12
Domain Data Available in QRadar

IBM Security
13
Domain Support in Rules
 Custom rules engine is now
domain-aware,
automatically isolating
correlations from different
domains
 New domain test allows for
cross domain correlations if
desired or necessary

IBM Security
14
Domain Support in Offenses
 Domain information carried all the way through offense

IBM Security
15
Domain Support Within Asset Model
 Each asset is assigned to a domain
 Assets can have overlapping IP addresses

IBM Security
16
Domain Support for Security Profiles
 Security Profile can be
restricted to one or
more domains
 Security Profile will
restrict access to
flows, events, assets,
and offenses based on
domain

IBM Security
17
Controlled Access to Domains
New User Security Profiles can be instantiated to control access to domain data:
Enables defining user access rights to one or more domains
Allows for delegation of responsibilities across domains
Facilitates defining domain specific visibility
Once domains are defined, the next step is to control user privileges to those domains
Process in the QRadar Admin Console:
1.Define Security Profiles for the Domains
2.Associate users from those domains to the appropriate security profiles

IBM Security
18
Vulnerability Management on a Domain Level
QRadar Vulnerability Manager allows asset
profiles to be denoted with domain
categorizations for exported scan results
Domain is defined per scanner for dynamic
scanning
Domain is a selectable criteria when filtering
results
Credentials controlled through the user’s
security profile relating to the domain specified
Saved searches for scan results will return
assets that also match domain visibility of the
user
Note a key value proposition of QRadar Vulnerability Manager is that scanners can be enabled
on the deployed QRadar infrastructure without incurring additional infrastructure overhead.

IBM Security
19
Summarizing QRadar Multi-Tenancy Capabilities for Service Providers
 Supports multiple customers within single QRadar
instance
 Guarantees separate correlation processing for each
client’s security data
 Restricts client visibility to only their security data –
logs, flows, offenses etc.
 Permits vulnerability scan data sharing across all
clients associated within common domain
 Facilitates simplified system administration of all
client domains

QRadar Master Console

IBM Security
21
Master Console: A Single View Across Multiple QRadar Deployments
Centralized health view and system
monitoring
Additional planned capabilities:
• Centralized offense view and management
• Content Management
o Log Source Management
o Rules
o Reports
o Saved Searches
o Dashboards
• User Accounts
• Federated Search
• Seat Management
Network A Network B Network C Network D Network E
Multi-tenant QRadar deployment
IBM Security Intelligence on Cloud

IBM Security
22
Facilitating Access to Underlying QRadar Deployments
Pass-through APIs
Customer A
Customer B
Analyst
Service Provider analyst can
employ Master Console Pass-
through APIs to programmatically
invoke QRadar APIs and build
custom applications
Click-through Log-in
Customer A
Customer B
Service Provider analyst can
log-in to specific QRadar
deployment (managed from the
Master Console) to get
additional details needed for an
investigative process

IBM Security
23
Deploying Master Console
 Master Console software package included in QRadar ISO at no additional cost –
updates provided via fix central
 Installs on Service Provider’s own hardware, VM or cloud instance using 8500
activation key - recommended specifications equivalent to QRadar 3105 hardware
appliance

© 2015 IBM Corporation25
IBM Security Systems
Service Highlights
• Security Intelligence as a Service
• X-Force Exchange integration
• Physically segregated client data
• Real time & historical correlation of
assets, events, and vulnerabilities
• Advanced threat detection
• Configurable SOC and management
dashboards
• Supports integrations of 450+
security & IT solutions
• Seamless integration with IBM
Global SOC for additional Security
Services
Secure
robust
channel
Software
Gateways
Professionally deployed and managed solution
enabling organizations and Service Providers
to focus on monitoring security intelligence
operations
Professionally deployed and managed solution
enabling organizations and Service Providers
to focus on monitoring security intelligence
operations
Security Intelligence

Partnering with IBM

IBM Security
27
Go-To-Market Options
Application Specific Licensing (ASL)
Appliances or software (including virtual appliances)
Support either perpetual license or monthly payments
• Zero upfront costs – pay only for EPS or Flows consumed
by customers every month or quarterly
• Earn discounts – as business pipeline scales earn
discounted pricing or specify commitments to get
discounted price up front
Removes restriction on how EPS and Flows are
allocated across two or more customers
Current, standard processes remain in place to establish
an ASL agreement
Resell
Appliances, software (including virtual appliances), or
SaaS (IBM Security Intelligence on Cloud)
Collaborate with IBM to design and develop your
marketing material
Realize built-in margin and complement with value
added services
Current, standard processes remain in place to establish
a Reseller agreement

IBM Security
28
IBM Value Proposition for Service Providers
 Best-in-Class Security Intelligence solution with flexibility to meet
your needs
• Full spectrum of Security Intelligence capabilities
• On-premise or Cloud delivery
• Dedicated environment or multi-tenant
• Horizontally scalable
 Choice of Go-to-Market options to suit various business models
• Minimize up-front costs
• Maximize margins
• Maintain customer relationships
 Rapid Time-to-Value
• Simplified deployment options
• Out-of-the-box security content and integrations
 Platform for adding high-value services in cost-effective and
streamlined fashion
• Tailored security building blocks
• Single Pane of Glass for security monitoring and management

IBM Security
29
Contact your Local IBM Representative
Middle East & Africa
Jean-Luc Labbe
jean-luc.labbe@it.ibm.com
North America
Chad Kinter
ckinter@us.ibm.com
Europe
Serge Richard
serge.richard@fr.ibm.com
Asia Pacific
John SK Chai
chaiskj@sg.ibm.com
Worldwide Sales
Bill Wallace
bwallac@us.ibm.com

IBM Security
30
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper
use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

Extend Your Market Reach with IBM Security QRadar for MSPs

More Related Content

What's hot

Similar to Extend Your Market Reach with IBM Security QRadar for MSPs

More from IBM Security

Recently uploaded

Extend Your Market Reach with IBM Security QRadar for MSPs

Editor's Notes