This document discusses IBM's QRadar User Behavior Analytics product for detecting insider threats and risks. It provides an agenda for the presentation which includes discussing challenges around insider threats, IBM UBA capabilities using machine learning, and IBM's integrated approach to insider threat protection. It also includes a case study example of how IBM implemented its solution for a global pharma client to help address concerns around the impact of a major reorganization on employee morale.

1. IBM QRadar User Behavior Analytics
DETECTING INSIDER THREAT AND RISKS
May 2017

2. 2 IBM Security
Agenda
• Problem Context
• Typical Challenges
• IBM UBA capabilities with machine learning
analytics
• IBM’s integrated approach to insider threat
protection
• Case Study
• Next Steps
Johnny Shin
Executive Consultant - Identity
and Access Management
Architecture & Program Delivery
jkshin@us.ibm.com
Jas Johal
Sr. Offering Manager –
IAM Services
IBM Security
Johal@us.ibm.com
Milan Patel
Program Director Security
Offerings Management
IBM Security
milpatel@us.ibm.com

3. 3 IBM Security
Increasing attacks, shortage of skills and growing insider threats
continue to dominate
Growing Insider Risk
Too Many Tools Increasing Attack Activity
Too Few People
anticipated shortfall by 2020
45 vendors
annual increase
for InfoSec analysts
1M
100
more security incidents
from 2014-201564%
’s of incidents
and events daily
37%
insider data
breaches
43%
perpetrators take data
and go work for competitors
65%
85 security tools from

4. 4 IBM Security
SECURITY TRANSFORMATION SERVICES
Management consulting | Systems integration | Managed security
QRadar Vulnerability / Risk Manager Resilient Incident Response
X-Force Exchange
QRadar Incident Forensics
BigFix Network Protection XGS
QRadar SIEM I2 Enterprise Insight Analysis
App Exchange
SECURITY OPERATIONS
AND RESPONSE
MaaS360
INFORMATION RISK
AND PROTECTION
Trusteer Mobile
Trusteer Rapport
AppScan
Guardium
Cloud Security
Privileged Identity Manager
Identity Governance and Access
Cloud Identity Service
Key Manager
zSecure
Trusteer Pinpoint
QRadar User Behavior Analytics
Our integrated view provides visibility so you can stop insider threats

5. 5 IBM Security
Example - Extending UBA with flow data
• Detect flow based anomalies
• Accessing non-business resources
• Accessing unauthorized resources
• Potential spam/phishing attempts
• Detecting malware infection
• Accessing sensitive personal information
• Out of policy web usage
• Detect DNS anomalies
• DGA
• Fastflux
• Tunneling and exfiltration
• End-point infection analytics

6. 6 IBM Security
Example - Extending QVM/QRM with UBA data
• Prioritize Vulnerabilities based on user
risk
• Scanning Assets of users above risk
thresholds
• Degrees of separation to critical assets or
information for risk management
• Add, modify rules on IPS side to block at
user level if user is phished
• Augment asset risk based on user risk
• Monitor possible attack vectors for Risky
users

7. 7 IBM Security
Comprehensive data set and open analytics sense malicious users
Insider Risk
Score
SENSE
ANALYTICSTM
BEHAVIORAL
• Pattern identification
• User and entity profiling
• Statistical analysis
• Anomaly detection
CONTEXTUAL
• Business context
• Entity and user context
• External threat correlation
TIME-BASED
• Historical analytics
• Real-time analytics
• Threat hunting
• Threshold rules
Users
Cloud
Applications
Applications
Data
Servers
DLP
Endpoints
Network
Threat
Intelligence
3rd Party
SIEM feeds
Other
analytics

8. 8 IBM Security
Comprehensive data set and open analytics sense malicious users

9. 9 IBM Security
IBM QRadar UBA 2.0
• Machine Learning algorithms • Flow based use cases that leverage QNI

10. 10 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY
IBM QRadar UBA: Detecting anomalous deviations
 Monitor users on deviation from normal
behavior:
• 14 different event categories of QRadar
• temporal analysis
• time series analysis
 Predict range in which the users’ activities
should fall
 Example anomalous activities detected by
these algorithms are:
• Abnormal change in user activity (over time)
• Abnormal change in user’s authentication or
access activity
• Deviation from normal risk posture of the user

11. 11 IBM SecurityIBM INTERNAL & BUSINESS PARTNER USE ONLY
IBM QRadar UBA: Machine Learning algorithms
“Deviations
from normal
behavior”

12. 12 IBM Security
SOC analysts gain speed from user behavior analytics
…in the hunt to reduce risks and eliminate threats
Easily find
malicious behavior
Easily acquire,
deploy and use
Improve
analyst efficiency
 Detect threats across users and assets leveraging advanced
analytics with behavioral patterns
 Tap into broad set of internal data sources and threat intelligence
 Visibility into the risk posture within hours not days
 Download app and install quickly
 Identify risky users, behavior and offences in minutes not hours
 Reduce overhead on skills and time

13. 13 IBM Security
To get most of your UBA - 3 steps to stop harmful insider actions
STEP 2: Detect insider threats: Anticipate
the risk of malicious actions before they occur
and respond when breached
STEP 1: Reduce your exposure: Secure
your sensitive data and govern your user
identities

14. 14 IBM Security
Address security gaps insiders exploit with an integrated approach
1. Who has access to sensitive
data?
2. Who should have access?
3. Can you control privileged
user access to sensitive data?
4. How are your users accessing
the data?
1. What data is sensitive?
2. Where is sensitive data stored?
3. Is the right sensitive data being
exposed?
4. What risk is associated with
sensitive data?
1. What are end users and
administrators doing with data?
2. What do normal transaction
patterns look like between the
user and your sensitive data?
3. How much can you trust each
individual user?
4. When should a deviation from
“normal” be cause for further
investigation?

15. 15 IBM Security
 User Behavior
Analytics
 SIEM
 Access management
 Identity management
& governance
 Privileged users
management
 Data protection
 Risk detection & threat
analytics
 Data activity monitoring
Safeguard against harmful insider actions with trusted security expertise,
actionable intelligence and powerful technology
Security Services
 Identify gaps, improve compliance
and prioritize security actions
 Integrate your capabilities
 Security expertise to drive insights

16. 16 IBM Security
3 steps to stop harmful insider actions
STEP 2: Detect insider threats. Anticipate
the risk of malicious actions before they occur
and respond when breached
STEP 1: Reduce your exposure. Secure
your sensitive data and govern your user
identities
STEP 3: Get started today. Apply a systematic
approach and methodology to your 5-10 most
important crown jewel data.

17. 17 IBM Security
Getting started: An integrated approach that provides clear, actionable
intelligence
Prioritize compliance
and security actions with
risk-based insights from
end-to-end mapping of
your critical information’s
access pathways
Analyze user behaviors
to detect suspicious
activities for further
investigation
Insider threat protection
services from IBM
Trusted IBM security specialists can offer the business, data and IAM
security experience to help you evaluate intelligence, draw more
meaningful conclusions and prepare for next steps.

18. 18 IBM Security
IBM puts our insider threat solution into practice with a consistent and
repeatable four step operational model with emphasis on high risk assets
1 2 3 4Define Discover Investigate Remediate
Define Use Case
Identify critical data
(crown jewels)
Identify privileged users
Matching user list
Corporate Data Trigger
 Machine/ statistical analysis
 Resource usage analysis
 Policy violation analysis
 Top down comparative analysis
 Bottom up comparative analysis
Anomaly Activity Trigger
Potential Threat
APP/SYSTEM TRANSACITON LOG
APP/SYSTEM CHANGE LOG
APP/SYSTEM ACCESS LOG
APP/SYSTEM PROCESS EXCEPTION
LOG
ApplicationsEnterpriseSystems
HTTP SITE ACCESS/ DOWNLOAD LOG
EMAIL HISTORY/ ATTACHMENTS LOG
PC LAPTOP USB/ EXT. HARD DR./CD
COPY LOG
LYNC CHAT/ DOWNLOAD LOG
REMOTE ACCESS LOG
PRINTER/FAX LOG
PHYSICAL ACCESS LOG
EXT. STORAGE ACCESS LOG
EXT. EMAIL ACCESS LOG
SHARE DRIVE/ POINT ACCESS HISTORY
PC/ LAPTOP LOSS/ STOLEN REPORT
PC/ LAPTOP CRASH/ REPARE LOG
Decision
Committee
Application
Owner/Controller
User’s Manager
Escalation
Corporate/ Legal
Action
Close Loop/
Remediation
PICTURE PC/ LAPTOP SCREEN (CCTV)
Insider threat protection
services from IBM

19. 19 IBM Security
We implemented this solution for one of our global pharma clients to help
address concerns about the impact of major re-org on employee morale
Project Overview:
1. Identified 7 areas of Information Classification in scope for the
project
• Finance Management, Financial Transactions,
Procurement-Sourcing, HR, Tax, Planning, and Risk
Management
2. Out of the 7 areas of Information Classification, identified 11
Confidential “Red” information for use cases
• True Cost Data, Process Order, Serialization, Employee
SPI, Investigation and Disciplinary, Purchasing and
Contractual, Vendor SPI, Customer SPI, Undisclosed
Financial Data, Project System
3. Mapped ~ 20% of “Red” data to specific SAP tables,
transactions, and roles which expose the information
4. Collected 7 months of SAP transaction logs to analyze user
activities across the sensitive transactions identified
5. Identified anomaly activities for further investigation

20. 20 IBM Security
During the project, we analyzed sensitive transactions used for the first time
on the month leaving the company
Data Summary:
• 7 months of SAP
transaction logs obtained
• Termination report
obtained 1,984 users
• Over 1M lines of
transaction log entries
captured
• Of 1M entries, 56k
sensitive transactions
used
• Of 56k transactions,
885 sensitive
transactions were
used by users on the
terminated report
Outcome:
• 1st Analysis Finding: 8
users used 10 sensitive
transactions for the first
time in December 2014
before leaving company
1st Analysis Findings

21. 21 IBM Security
Our team also detected sudden and significant increases of users using
sensitive transaction on the month leaving the company… risky insiders!
Data Summary:
• 7 months of SAP
transaction logs obtained
• Termination report
obtained 1,984 users
• Over 1M lines of
transaction log entries
captured
• Of 1M entries, 56k
sensitive transactions
used
• Of 56k transactions,
885 sensitive
transactions were
used by users on the
terminated report
Outcome:
• 2nd Analysis Finding: 7
users show sudden
increase in sensitive
transaction usage right
before the termination
2nd Analysis Findings

22. 22 IBM Security
Our experts help deliver
Leading security innovation
by IBM Research, with over 3,000
security and risk patents
Strategic Advising
Product Agnostic
Recommendations
Cognitive-driven
Solutions
Derive insights from
Watson Analytics
Award winning IBM
Security Systems
can provide a full range of
integrated security services
and products
Worldwide Presence
Threat visibility from 10 Security
Operations Centers monitoring
13-plus billon events per day from
20,000-plus devices
Worldwide Subject
Matter Expertise
over 3,700 security
consultants
and 3,300 service
delivery experts
IAM Expertise

23. 23 IBM Security
Take action now
• Download the whitepaper, “An Integrated Approach to Insider Threat Protection”
• Read the blog on using Machine Learning to Detect Anomalies in Users’ Activities
Learn more
• Call your rep, or reach out to 1 (877) 257-5227
• Experiencing a breach? IBM Incident Response
24x7 Hotline: 1-888-241-9812
Contact IBM
Questions? Let us know.
Jas Johal
Sr. Offering Manager –
IAM Services
Johal@us.ibm.com
Johnny Shin
Sr. Executive Consultant-
IAM
jkshin@us.ibm.com
Milan Patel
Program Director Security
Offerings Management
milpatel@us.ibm.com

24. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU