IBM Security, profile picture
Uploaded byIBM Security
PPTX, PDF6,048 views

IBM QRadar UBA

This document discusses IBM's QRadar User Behavior Analytics product for detecting insider threats and risks. It provides an agenda for the presentation which includes discussing challenges around insider threats, IBM UBA capabilities using machine learning, and IBM's integrated approach to insider threat protection. It also includes a case study example of how IBM implemented its solution for a global pharma client to help address concerns around the impact of a major reorganization on employee morale.

Embed presentation

Downloaded 323 times
IBM QRadar User Behavior Analytics DETECTING INSIDER THREAT AND RISKS May 2017
2 IBM Security Agenda • Problem Context • Typical Challenges • IBM UBA capabilities with machine learning analytics • IBM’s integrated approach to insider threat protection • Case Study • Next Steps Johnny Shin Executive Consultant - Identity and Access Management Architecture & Program Delivery jkshin@us.ibm.com Jas Johal Sr. Offering Manager – IAM Services IBM Security Johal@us.ibm.com Milan Patel Program Director Security Offerings Management IBM Security milpatel@us.ibm.com
3 IBM Security Increasing attacks, shortage of skills and growing insider threats continue to dominate Growing Insider Risk Too Many Tools Increasing Attack Activity Too Few People anticipated shortfall by 2020 45 vendors annual increase for InfoSec analysts 1M 100 more security incidents from 2014-201564% ’s of incidents and events daily 37% insider data breaches 43% perpetrators take data and go work for competitors 65% 85 security tools from
4 IBM Security SECURITY TRANSFORMATION SERVICES Management consulting | Systems integration | Managed security QRadar Vulnerability / Risk Manager Resilient Incident Response X-Force Exchange QRadar Incident Forensics BigFix Network Protection XGS QRadar SIEM I2 Enterprise Insight Analysis App Exchange SECURITY OPERATIONS AND RESPONSE MaaS360 INFORMATION RISK AND PROTECTION Trusteer Mobile Trusteer Rapport AppScan Guardium Cloud Security Privileged Identity Manager Identity Governance and Access Cloud Identity Service Key Manager zSecure Trusteer Pinpoint QRadar User Behavior Analytics Our integrated view provides visibility so you can stop insider threats
5 IBM Security Example - Extending UBA with flow data • Detect flow based anomalies • Accessing non-business resources • Accessing unauthorized resources • Potential spam/phishing attempts • Detecting malware infection • Accessing sensitive personal information • Out of policy web usage • Detect DNS anomalies • DGA • Fastflux • Tunneling and exfiltration • End-point infection analytics
6 IBM Security Example - Extending QVM/QRM with UBA data • Prioritize Vulnerabilities based on user risk • Scanning Assets of users above risk thresholds • Degrees of separation to critical assets or information for risk management • Add, modify rules on IPS side to block at user level if user is phished • Augment asset risk based on user risk • Monitor possible attack vectors for Risky users
7 IBM Security Comprehensive data set and open analytics sense malicious users Insider Risk Score SENSE ANALYTICSTM BEHAVIORAL • Pattern identification • User and entity profiling • Statistical analysis • Anomaly detection CONTEXTUAL • Business context • Entity and user context • External threat correlation TIME-BASED • Historical analytics • Real-time analytics • Threat hunting • Threshold rules Users Cloud Applications Applications Data Servers DLP Endpoints Network Threat Intelligence 3rd Party SIEM feeds Other analytics
8 IBM Security Comprehensive data set and open analytics sense malicious users
9 IBM Security IBM QRadar UBA 2.0 • Machine Learning algorithms • Flow based use cases that leverage QNI
10 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Detecting anomalous deviations  Monitor users on deviation from normal behavior: • 14 different event categories of QRadar • temporal analysis • time series analysis  Predict range in which the users’ activities should fall  Example anomalous activities detected by these algorithms are: • Abnormal change in user activity (over time) • Abnormal change in user’s authentication or access activity • Deviation from normal risk posture of the user
11 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Machine Learning algorithms “Deviations from normal behavior”
12 IBM Security SOC analysts gain speed from user behavior analytics …in the hunt to reduce risks and eliminate threats Easily find malicious behavior Easily acquire, deploy and use Improve analyst efficiency  Detect threats across users and assets leveraging advanced analytics with behavioral patterns  Tap into broad set of internal data sources and threat intelligence  Visibility into the risk posture within hours not days  Download app and install quickly  Identify risky users, behavior and offences in minutes not hours  Reduce overhead on skills and time
13 IBM Security To get most of your UBA - 3 steps to stop harmful insider actions STEP 2: Detect insider threats: Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure: Secure your sensitive data and govern your user identities
14 IBM Security Address security gaps insiders exploit with an integrated approach 1. Who has access to sensitive data? 2. Who should have access? 3. Can you control privileged user access to sensitive data? 4. How are your users accessing the data? 1. What data is sensitive? 2. Where is sensitive data stored? 3. Is the right sensitive data being exposed? 4. What risk is associated with sensitive data? 1. What are end users and administrators doing with data? 2. What do normal transaction patterns look like between the user and your sensitive data? 3. How much can you trust each individual user? 4. When should a deviation from “normal” be cause for further investigation?
15 IBM Security  User Behavior Analytics  SIEM  Access management  Identity management & governance  Privileged users management  Data protection  Risk detection & threat analytics  Data activity monitoring Safeguard against harmful insider actions with trusted security expertise, actionable intelligence and powerful technology Security Services  Identify gaps, improve compliance and prioritize security actions  Integrate your capabilities  Security expertise to drive insights
16 IBM Security 3 steps to stop harmful insider actions STEP 2: Detect insider threats. Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure. Secure your sensitive data and govern your user identities STEP 3: Get started today. Apply a systematic approach and methodology to your 5-10 most important crown jewel data.
17 IBM Security Getting started: An integrated approach that provides clear, actionable intelligence Prioritize compliance and security actions with risk-based insights from end-to-end mapping of your critical information’s access pathways Analyze user behaviors to detect suspicious activities for further investigation Insider threat protection services from IBM Trusted IBM security specialists can offer the business, data and IAM security experience to help you evaluate intelligence, draw more meaningful conclusions and prepare for next steps.
18 IBM Security IBM puts our insider threat solution into practice with a consistent and repeatable four step operational model with emphasis on high risk assets 1 2 3 4Define Discover Investigate Remediate Define Use Case Identify critical data (crown jewels) Identify privileged users Matching user list Corporate Data Trigger  Machine/ statistical analysis  Resource usage analysis  Policy violation analysis  Top down comparative analysis  Bottom up comparative analysis Anomaly Activity Trigger Potential Threat APP/SYSTEM TRANSACITON LOG APP/SYSTEM CHANGE LOG APP/SYSTEM ACCESS LOG APP/SYSTEM PROCESS EXCEPTION LOG ApplicationsEnterpriseSystems HTTP SITE ACCESS/ DOWNLOAD LOG EMAIL HISTORY/ ATTACHMENTS LOG PC LAPTOP USB/ EXT. HARD DR./CD COPY LOG LYNC CHAT/ DOWNLOAD LOG REMOTE ACCESS LOG PRINTER/FAX LOG PHYSICAL ACCESS LOG EXT. STORAGE ACCESS LOG EXT. EMAIL ACCESS LOG SHARE DRIVE/ POINT ACCESS HISTORY PC/ LAPTOP LOSS/ STOLEN REPORT PC/ LAPTOP CRASH/ REPARE LOG Decision Committee Application Owner/Controller User’s Manager Escalation Corporate/ Legal Action Close Loop/ Remediation PICTURE PC/ LAPTOP SCREEN (CCTV) Insider threat protection services from IBM
19 IBM Security We implemented this solution for one of our global pharma clients to help address concerns about the impact of major re-org on employee morale Project Overview: 1. Identified 7 areas of Information Classification in scope for the project • Finance Management, Financial Transactions, Procurement-Sourcing, HR, Tax, Planning, and Risk Management 2. Out of the 7 areas of Information Classification, identified 11 Confidential “Red” information for use cases • True Cost Data, Process Order, Serialization, Employee SPI, Investigation and Disciplinary, Purchasing and Contractual, Vendor SPI, Customer SPI, Undisclosed Financial Data, Project System 3. Mapped ~ 20% of “Red” data to specific SAP tables, transactions, and roles which expose the information 4. Collected 7 months of SAP transaction logs to analyze user activities across the sensitive transactions identified 5. Identified anomaly activities for further investigation
20 IBM Security During the project, we analyzed sensitive transactions used for the first time on the month leaving the company Data Summary: • 7 months of SAP transaction logs obtained • Termination report obtained 1,984 users • Over 1M lines of transaction log entries captured • Of 1M entries, 56k sensitive transactions used • Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: • 1st Analysis Finding: 8 users used 10 sensitive transactions for the first time in December 2014 before leaving company 1st Analysis Findings
21 IBM Security Our team also detected sudden and significant increases of users using sensitive transaction on the month leaving the company… risky insiders! Data Summary: • 7 months of SAP transaction logs obtained • Termination report obtained 1,984 users • Over 1M lines of transaction log entries captured • Of 1M entries, 56k sensitive transactions used • Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: • 2nd Analysis Finding: 7 users show sudden increase in sensitive transaction usage right before the termination 2nd Analysis Findings
22 IBM Security Our experts help deliver Leading security innovation by IBM Research, with over 3,000 security and risk patents Strategic Advising Product Agnostic Recommendations Cognitive-driven Solutions Derive insights from Watson Analytics Award winning IBM Security Systems can provide a full range of integrated security services and products Worldwide Presence Threat visibility from 10 Security Operations Centers monitoring 13-plus billon events per day from 20,000-plus devices Worldwide Subject Matter Expertise over 3,700 security consultants and 3,300 service delivery experts IAM Expertise
23 IBM Security Take action now • Download the whitepaper, “An Integrated Approach to Insider Threat Protection” • Read the blog on using Machine Learning to Detect Anomalies in Users’ Activities Learn more • Call your rep, or reach out to 1 (877) 257-5227 • Experiencing a breach? IBM Incident Response 24x7 Hotline: 1-888-241-9812 Contact IBM Questions? Let us know. Jas Johal Sr. Offering Manager – IAM Services Johal@us.ibm.com Johnny Shin Sr. Executive Consultant- IAM jkshin@us.ibm.com Milan Patel Program Director Security Offerings Management milpatel@us.ibm.com
ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU

More Related Content

PPTX
User and entity behavior analytics: building an effective solution
byYolanta Beresna
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
IBM Qradar
byCoenraad Smith
 
PDF
Qradar - Reports.pdf
byPencilData
 
PDF
Q radar architecture deep dive
byKamal Mouline
 
PPTX
IBM Security QRadar
byVirginia Fernandez
 
PDF
IBM Security Strategy Overview
byxband
 
PPTX
SIEM - Your Complete IT Security Arsenal
byManageEngine EventLog Analyzer
 
User and entity behavior analytics: building an effective solution
byYolanta Beresna
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
IBM Qradar
byCoenraad Smith
 
Qradar - Reports.pdf
byPencilData
 
Q radar architecture deep dive
byKamal Mouline
 
IBM Security QRadar
byVirginia Fernandez
 
IBM Security Strategy Overview
byxband
 
SIEM - Your Complete IT Security Arsenal
byManageEngine EventLog Analyzer
 

What's hot

PDF
Enterprise Security Architecture
byPriyanka Aash
 
PPTX
Palo Alto Cortex XDR presentation .......
bySachin Paul
 
PPTX
Cloud security Presentation
byAjay p
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PPTX
Identity and Access Management (IAM)
byIdentacor
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PPTX
Cloud security ppt
byVenkatesh Chary
 
PPTX
Siem ppt
bykmehul
 
PDF
security-reference-architecture.pdf
byJoniGarcia9
 
PPTX
Zero Trust and Data Security
byCareer Communications Group
 
PPTX
Enterprise Security Architecture Design
byPriyanka Aash
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
Cloud Security Architecture.pptx
byMoshe Ferber
 
PPTX
cloud security ppt
byDevyani Vaidya
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPT
Security patterns and model driven architecture
bybdemchak
 
PPTX
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
PDF
ISO/IEC 27001:2022 Transition Arragements
byISONIKELtd
 
PPTX
5 Steps to a Zero Trust Network - From Theory to Practice
byAlgoSec
 
Enterprise Security Architecture
byPriyanka Aash
 
Palo Alto Cortex XDR presentation .......
bySachin Paul
 
Cloud security Presentation
byAjay p
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
Identity and Access Management (IAM)
byIdentacor
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
Cloud security ppt
byVenkatesh Chary
 
Siem ppt
bykmehul
 
security-reference-architecture.pdf
byJoniGarcia9
 
Zero Trust and Data Security
byCareer Communications Group
 
Enterprise Security Architecture Design
byPriyanka Aash
 
Cyber Threat Intelligence
bymohamed nasri
 
Cloud Security Architecture.pptx
byMoshe Ferber
 
cloud security ppt
byDevyani Vaidya
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Security patterns and model driven architecture
bybdemchak
 
Cybersecurity Risk Management Program and Your Organization
byMcKonly & Asbury, LLP
 
ISO/IEC 27001:2022 Transition Arragements
byISONIKELtd
 
5 Steps to a Zero Trust Network - From Theory to Practice
byAlgoSec
 

Viewers also liked

PDF
Enterprise Security featuring UBA
bySplunk
 
PPTX
Splunk for Enterprise Security featuring UBA Breakout Session
bySplunk
 
PPTX
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
bySplunk
 
PPTX
CYBERSPACE & CRIMINAL BEHAVIOR
byDharmik Navadiya
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
Enterprise Security featuring UBA
bySplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
bySplunk
 
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
bySplunk
 
CYBERSPACE & CRIMINAL BEHAVIOR
byDharmik Navadiya
 
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
bySplunk
 

Similar to IBM QRadar UBA

PPTX
Take your SOC Beyond SIEM
byThomas Springer
 
PDF
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 
PPTX
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
PDF
IBM Security 2017 Lunch and Learn Series
byJeff Miller
 
PPT
Avoiding data breach using security intelligence and big data to stay out of ...
byIBM Security
 
PPTX
QRadar Security Intelligence Overview.pptx
byDmitry718707
 
PPTX
Compete To Win: Don’t Just Be Compliant – Be Secure!
byIBM Security
 
PDF
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
PPTX
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
PPTX
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
byIBM Security
 
PPT
Ibm q radar_blind_references
byMaarten Werff
 
PDF
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
byIBM Switzerland
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
PDF
Leverage Big Data for Security Intelligence
byStefaan Van daele
 
PPTX
PCM Vision 2019 Breakout: IBM | Red Hat
byPCM
 
PPT
Five critical conditions to maximizing security intelligence investments
byIBM Security
 
PPTX
IBM Q-radar security intelligence roadmap
byDATA SECURITY SOLUTIONS
 
PPTX
IBM Security intelligence v1 - ahmed el nahas
byShwetank Jayaswal
 
PPTX
Security in the Cognitive Era: Why it matters more than ever
byEC-Council
 
Take your SOC Beyond SIEM
byThomas Springer
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
byIBM Security
 
IBM Security 2017 Lunch and Learn Series
byJeff Miller
 
Avoiding data breach using security intelligence and big data to stay out of ...
byIBM Security
 
QRadar Security Intelligence Overview.pptx
byDmitry718707
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
byIBM Security
 
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
byIBM Security
 
Ibm q radar_blind_references
byMaarten Werff
 
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas Wespi
byIBM Switzerland
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
Leverage Big Data for Security Intelligence
byStefaan Van daele
 
PCM Vision 2019 Breakout: IBM | Red Hat
byPCM
 
Five critical conditions to maximizing security intelligence investments
byIBM Security
 
IBM Q-radar security intelligence roadmap
byDATA SECURITY SOLUTIONS
 
IBM Security intelligence v1 - ahmed el nahas
byShwetank Jayaswal
 
Security in the Cognitive Era: Why it matters more than ever
byEC-Council
 

More from IBM Security

PPTX
Automation: Embracing the Future of SecOps
byIBM Security
 
PDF
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
PDF
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
PPTX
Integrated Response with v32 of IBM Resilient
byIBM Security
 
PDF
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
PDF
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
PDF
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
PDF
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
PPTX
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
PPTX
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
PPTX
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
PPTX
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
PPTX
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
PDF
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
PPTX
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
PDF
Mobile Vision 2020
byIBM Security
 
PDF
Retail Mobility, Productivity and Security
byIBM Security
 
PDF
Close the Loop on Incident Response
byIBM Security
 
PPTX
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
byIBM Security
 
PPTX
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 
Automation: Embracing the Future of SecOps
byIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
Integrated Response with v32 of IBM Resilient
byIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
Mobile Vision 2020
byIBM Security
 
Retail Mobility, Productivity and Security
byIBM Security
 
Close the Loop on Incident Response
byIBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
byIBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
byIBM Security
 

Recently uploaded

PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PDF
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PPTX
About Computer Hardware ................
bymaratiakshaya07
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
About Computer Hardware ................
bymaratiakshaya07
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 

IBM QRadar UBA

  • 1.
    IBM QRadar UserBehavior Analytics DETECTING INSIDER THREAT AND RISKS May 2017
  • 2.
    2 IBM Security Agenda •Problem Context • Typical Challenges • IBM UBA capabilities with machine learning analytics • IBM’s integrated approach to insider threat protection • Case Study • Next Steps Johnny Shin Executive Consultant - Identity and Access Management Architecture & Program Delivery jkshin@us.ibm.com Jas Johal Sr. Offering Manager – IAM Services IBM Security Johal@us.ibm.com Milan Patel Program Director Security Offerings Management IBM Security milpatel@us.ibm.com
  • 3.
    3 IBM Security Increasingattacks, shortage of skills and growing insider threats continue to dominate Growing Insider Risk Too Many Tools Increasing Attack Activity Too Few People anticipated shortfall by 2020 45 vendors annual increase for InfoSec analysts 1M 100 more security incidents from 2014-201564% ’s of incidents and events daily 37% insider data breaches 43% perpetrators take data and go work for competitors 65% 85 security tools from
  • 4.
    4 IBM Security SECURITYTRANSFORMATION SERVICES Management consulting | Systems integration | Managed security QRadar Vulnerability / Risk Manager Resilient Incident Response X-Force Exchange QRadar Incident Forensics BigFix Network Protection XGS QRadar SIEM I2 Enterprise Insight Analysis App Exchange SECURITY OPERATIONS AND RESPONSE MaaS360 INFORMATION RISK AND PROTECTION Trusteer Mobile Trusteer Rapport AppScan Guardium Cloud Security Privileged Identity Manager Identity Governance and Access Cloud Identity Service Key Manager zSecure Trusteer Pinpoint QRadar User Behavior Analytics Our integrated view provides visibility so you can stop insider threats
  • 5.
    5 IBM Security Example- Extending UBA with flow data • Detect flow based anomalies • Accessing non-business resources • Accessing unauthorized resources • Potential spam/phishing attempts • Detecting malware infection • Accessing sensitive personal information • Out of policy web usage • Detect DNS anomalies • DGA • Fastflux • Tunneling and exfiltration • End-point infection analytics
  • 6.
    6 IBM Security Example- Extending QVM/QRM with UBA data • Prioritize Vulnerabilities based on user risk • Scanning Assets of users above risk thresholds • Degrees of separation to critical assets or information for risk management • Add, modify rules on IPS side to block at user level if user is phished • Augment asset risk based on user risk • Monitor possible attack vectors for Risky users
  • 7.
    7 IBM Security Comprehensivedata set and open analytics sense malicious users Insider Risk Score SENSE ANALYTICSTM BEHAVIORAL • Pattern identification • User and entity profiling • Statistical analysis • Anomaly detection CONTEXTUAL • Business context • Entity and user context • External threat correlation TIME-BASED • Historical analytics • Real-time analytics • Threat hunting • Threshold rules Users Cloud Applications Applications Data Servers DLP Endpoints Network Threat Intelligence 3rd Party SIEM feeds Other analytics
  • 8.
    8 IBM Security Comprehensivedata set and open analytics sense malicious users
  • 9.
    9 IBM Security IBMQRadar UBA 2.0 • Machine Learning algorithms • Flow based use cases that leverage QNI
  • 10.
    10 IBM SecurityIBMINTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Detecting anomalous deviations  Monitor users on deviation from normal behavior: • 14 different event categories of QRadar • temporal analysis • time series analysis  Predict range in which the users’ activities should fall  Example anomalous activities detected by these algorithms are: • Abnormal change in user activity (over time) • Abnormal change in user’s authentication or access activity • Deviation from normal risk posture of the user
  • 11.
    11 IBM SecurityIBMINTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Machine Learning algorithms “Deviations from normal behavior”
  • 12.
    12 IBM Security SOCanalysts gain speed from user behavior analytics …in the hunt to reduce risks and eliminate threats Easily find malicious behavior Easily acquire, deploy and use Improve analyst efficiency  Detect threats across users and assets leveraging advanced analytics with behavioral patterns  Tap into broad set of internal data sources and threat intelligence  Visibility into the risk posture within hours not days  Download app and install quickly  Identify risky users, behavior and offences in minutes not hours  Reduce overhead on skills and time
  • 13.
    13 IBM Security Toget most of your UBA - 3 steps to stop harmful insider actions STEP 2: Detect insider threats: Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure: Secure your sensitive data and govern your user identities
  • 14.
    14 IBM Security Addresssecurity gaps insiders exploit with an integrated approach 1. Who has access to sensitive data? 2. Who should have access? 3. Can you control privileged user access to sensitive data? 4. How are your users accessing the data? 1. What data is sensitive? 2. Where is sensitive data stored? 3. Is the right sensitive data being exposed? 4. What risk is associated with sensitive data? 1. What are end users and administrators doing with data? 2. What do normal transaction patterns look like between the user and your sensitive data? 3. How much can you trust each individual user? 4. When should a deviation from “normal” be cause for further investigation?
  • 15.
    15 IBM Security User Behavior Analytics  SIEM  Access management  Identity management & governance  Privileged users management  Data protection  Risk detection & threat analytics  Data activity monitoring Safeguard against harmful insider actions with trusted security expertise, actionable intelligence and powerful technology Security Services  Identify gaps, improve compliance and prioritize security actions  Integrate your capabilities  Security expertise to drive insights
  • 16.
    16 IBM Security 3steps to stop harmful insider actions STEP 2: Detect insider threats. Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure. Secure your sensitive data and govern your user identities STEP 3: Get started today. Apply a systematic approach and methodology to your 5-10 most important crown jewel data.
  • 17.
    17 IBM Security Gettingstarted: An integrated approach that provides clear, actionable intelligence Prioritize compliance and security actions with risk-based insights from end-to-end mapping of your critical information’s access pathways Analyze user behaviors to detect suspicious activities for further investigation Insider threat protection services from IBM Trusted IBM security specialists can offer the business, data and IAM security experience to help you evaluate intelligence, draw more meaningful conclusions and prepare for next steps.
  • 18.
    18 IBM Security IBMputs our insider threat solution into practice with a consistent and repeatable four step operational model with emphasis on high risk assets 1 2 3 4Define Discover Investigate Remediate Define Use Case Identify critical data (crown jewels) Identify privileged users Matching user list Corporate Data Trigger  Machine/ statistical analysis  Resource usage analysis  Policy violation analysis  Top down comparative analysis  Bottom up comparative analysis Anomaly Activity Trigger Potential Threat APP/SYSTEM TRANSACITON LOG APP/SYSTEM CHANGE LOG APP/SYSTEM ACCESS LOG APP/SYSTEM PROCESS EXCEPTION LOG ApplicationsEnterpriseSystems HTTP SITE ACCESS/ DOWNLOAD LOG EMAIL HISTORY/ ATTACHMENTS LOG PC LAPTOP USB/ EXT. HARD DR./CD COPY LOG LYNC CHAT/ DOWNLOAD LOG REMOTE ACCESS LOG PRINTER/FAX LOG PHYSICAL ACCESS LOG EXT. STORAGE ACCESS LOG EXT. EMAIL ACCESS LOG SHARE DRIVE/ POINT ACCESS HISTORY PC/ LAPTOP LOSS/ STOLEN REPORT PC/ LAPTOP CRASH/ REPARE LOG Decision Committee Application Owner/Controller User’s Manager Escalation Corporate/ Legal Action Close Loop/ Remediation PICTURE PC/ LAPTOP SCREEN (CCTV) Insider threat protection services from IBM
  • 19.
    19 IBM Security Weimplemented this solution for one of our global pharma clients to help address concerns about the impact of major re-org on employee morale Project Overview: 1. Identified 7 areas of Information Classification in scope for the project • Finance Management, Financial Transactions, Procurement-Sourcing, HR, Tax, Planning, and Risk Management 2. Out of the 7 areas of Information Classification, identified 11 Confidential “Red” information for use cases • True Cost Data, Process Order, Serialization, Employee SPI, Investigation and Disciplinary, Purchasing and Contractual, Vendor SPI, Customer SPI, Undisclosed Financial Data, Project System 3. Mapped ~ 20% of “Red” data to specific SAP tables, transactions, and roles which expose the information 4. Collected 7 months of SAP transaction logs to analyze user activities across the sensitive transactions identified 5. Identified anomaly activities for further investigation
  • 20.
    20 IBM Security Duringthe project, we analyzed sensitive transactions used for the first time on the month leaving the company Data Summary: • 7 months of SAP transaction logs obtained • Termination report obtained 1,984 users • Over 1M lines of transaction log entries captured • Of 1M entries, 56k sensitive transactions used • Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: • 1st Analysis Finding: 8 users used 10 sensitive transactions for the first time in December 2014 before leaving company 1st Analysis Findings
  • 21.
    21 IBM Security Ourteam also detected sudden and significant increases of users using sensitive transaction on the month leaving the company… risky insiders! Data Summary: • 7 months of SAP transaction logs obtained • Termination report obtained 1,984 users • Over 1M lines of transaction log entries captured • Of 1M entries, 56k sensitive transactions used • Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: • 2nd Analysis Finding: 7 users show sudden increase in sensitive transaction usage right before the termination 2nd Analysis Findings
  • 22.
    22 IBM Security Ourexperts help deliver Leading security innovation by IBM Research, with over 3,000 security and risk patents Strategic Advising Product Agnostic Recommendations Cognitive-driven Solutions Derive insights from Watson Analytics Award winning IBM Security Systems can provide a full range of integrated security services and products Worldwide Presence Threat visibility from 10 Security Operations Centers monitoring 13-plus billon events per day from 20,000-plus devices Worldwide Subject Matter Expertise over 3,700 security consultants and 3,300 service delivery experts IAM Expertise
  • 23.
    23 IBM Security Takeaction now • Download the whitepaper, “An Integrated Approach to Insider Threat Protection” • Read the blog on using Machine Learning to Detect Anomalies in Users’ Activities Learn more • Call your rep, or reach out to 1 (877) 257-5227 • Experiencing a breach? IBM Incident Response 24x7 Hotline: 1-888-241-9812 Contact IBM Questions? Let us know. Jas Johal Sr. Offering Manager – IAM Services Johal@us.ibm.com Johnny Shin Sr. Executive Consultant- IAM jkshin@us.ibm.com Milan Patel Program Director Security Offerings Management milpatel@us.ibm.com
  • 24.
    ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBMCorporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU