1) Security intelligence refers to the collection, normalization, and analysis of data from users, applications, and infrastructure across an enterprise to gain comprehensive insight into security risks and threats. 2) IBM Security Intelligence solutions provide security capabilities across the full timeline from protection to detection to remediation. 3) The IBM QRadar security intelligence platform collects both structured and unstructured data from multiple sources and performs automated analytics to identify and prioritize security and operational incidents.

1. IBM Security
IBM Security Intelligence
© 2013 IBM Corporation© 2014 IBM Corporation
Speaker: Alfonso Ponticelli
Security QRadar Technical Sales, Italy

2. IBM Security Systems
What is Security Intelligence?
Security Intelligence
--noun
1. the real-time collection, normalization and
analytics of the data generated by users,
applications and infrastructure that impacts the
IT security and risk posture of an enterprise
Security Intelligence
© 2014 IBM Corporation2
IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive
insight for managing risks and threats from protection and
detection through remediation

3. IBM Security Systems
Solutions for the full Security Intelligence timeline
IBM Security Intelligence
© 2014 IBM Corporation3

4. IBM Security Systems
Built upon common foundation of QRadar SIOS
Reporting
Engine
Workflow Rules Engine
Real-Time
Viewer
Security
Intelligence
Solutions
IBM QRadar SIEM Platform
QRadar SIEM
QRadar
Risk
Manager
QRadar
QFlow and
VFlow
QRadar
Vulnerability
Manager
© 2014 IBM Corporation4
Analytics Engine
Warehouse Archival
Security
Intelligence
Operating
System
(SIOS)
Normalization

5. IBM Security Systems
Servers and mainframes
Network and virtual activity
Data activity
Security devices
Structured & Unstructured Data …Suspected Incidents
• Automated data collection,
asset discovery and profiling
• Automated, real-time,
and integrated analytics
Embedded Intelligence
Highly
Prioritized
Security and
Operational
Incidents
Highly
Prioritized
Security and
Operational
Incidents
Automated
Dynamic Threat Environment Requires Security Intelligence
IBM QRadar SIEM Platform
© 2014 IBM Corporation5
Application activity
Configuration information
Vulnerabilities and threats
Users and identities
Global threat intelligence
• Massive data reduction
• Activity baselining
and anomaly detection
• Out-of-the box rules
and templates
Automated
Offense
Identification
Visibility across organizational security systems to improve response times and
incorporate adaptability/flexibility required for early detection of threats or risky
behaviors

6. IBM Security Systems
And continually adding context for increased accuracy
Security Intelligence Feeds
Internet ThreatsGeo Location Vulnerabilities
IBM QRadar SIEM Platform
© 2014 IBM Corporation6

7. IBM Security Systems
Using fully integrated architecture and interface
IBM QRadar Platform
© 2014 IBM Corporation7

8. IBM Security Systems
Continued journey towards Total Security Intelligence
IBM QRadar Security Intelligence
© 2014 IBM Corporation8

9. IBM Security Systems
Network traffic doesn’t lie. Attackers can stop logging and
erase their tracks, but can’t cut off the network (flow data)
• Deep packet inspection for Layer 7 flow data
• Pivoting, drill-down and data mining on flow sources for
advanced detection and forensics
Helps detect anomalies that might otherwise get missed
Enables visibility into attacker communications
Differentiated by network flow analytics
IBM QRadar Platform
© 2014 IBM Corporation9
Enables visibility into attacker communications

10. IBM Security Systems
QRadar Risk Manager: Visualize network, configurations and risks
Depicts network topology
views and helps visualize
current and alternative
network traffic patterns
Identifies active attack
paths and assets at risk of
exploit
IBM QRadar Risk Manager
© 2014 IBM Corporation10
Collects network device
configuration data to
assess vulnerabilities and
facilitate analysis and
reportingDiscovers firewall configuration errors and improves
performance by eliminating ineffective rules
Analyzes policy compliance for network traffic,
topology and vulnerability exposures

11. IBM Security Systems
Investigating offense attack path
Clicking ‘attack path’ button for an offense performs search showing precise
path (and all permutations) between involved source and destination IPs
Firewall rules enabling the attack path can then be quickly analyzed to
understand the exposure
IBM QRadar Risk Manager
© 2014 IBM Corporation11
understand the exposure
Allows “virtual patch” to be applied by quickly showing which firewall rules may
be changed to immediately shut down attack path—before patching or other
configuration changes can typically be implemented

12. IBM Security Systems
Strengthened by integrated vulnerability insights
IBM QRadar Vulnerability Manager
© 2014 IBM Corporation12

13. IBM Security Systems
QVM enables customers to interpret ‘sea’ of vulnerabilities
IBM QRadar Vulnerability Manager
© 2014 IBM Corporation13

14. IBM Security Systems
QRadar Security Intelligence easily grows with your needs
Add QRadar Risk Manager
• Enables pre-exploit configuration investigations
• Simplifies security policy reviews for compliance tests
Implement QRadar Vulnerability Manager
• Extends pre-exploit analysis - adds integrated,
vulnerability insights
• Reduces magnitude of pre-exploit conditions as QRadar
SIEM does for post-exploit conditions
• Helps identify and measure exposures to external threats
IBM QRadar Security Intelligence
© 2014 IBM Corporation14
Inject IBM X-Force Threat Research Intelligence
- Provides intelligence feed to QRadar
- Includes vulnerabilities, IP reputations, malware reports
• Simplifies security policy reviews for compliance tests
• Provides network topology depictions and permits
attack simulations
QRadar SIEM
• Additional security telemetry data
• Rules-based correlation analysis engine
• Data overload reduction ‘magic’ compressing millions or
even billions of daily raw events to manageable list of issues

15. IBM Security Systems
QRadar Incident Forensics Module Overview
Seamlessly integrated
with Security
Intelligence incident
detection and workflow
processes
Full packet capture for
complete insight and
incident forensics
IBM QRadar Incident Forensics
© 2014 IBM Corporation15
Deep packet
inspection, analytics
and searching enabling
powerful and intuitive
forensics
Providing unified view
of all flow, user, event,
and forensic
information

16. IBM Security Systems
Offering Overview
Family Product Appliance Virtual
Appliance
Software
SIEM All-in-One 2100 Light3 / 2100 / 3105
/ 3124
3190 21XX Light3 /
21XX / 31XX
Console 3105 / 3124 3190 31XX
Event Processor 1605 / 1624 1690 16XX
Flow Processor 1705 / 1724 1790 17XX
Como Event/Flow Processor 1805 18XX
Event Collector5 1501 1590 15XX2
QFlow Collector 1201 / 1202 / 1301 / 1310 VFlow / 1290 12XX
© 2014 IBM Corporation16
QFlow Collector 1201 / 1202 / 1301 / 1310 VFlow / 1290 12XX
Log Manager All-in-1 2100 / 3105 / 3124 3190 21XX / 31XX1
Console 3105 / 3124 3190 31XX1
Event Processor 1605 / 1624 1690 16XX1
QNAD QNAD QNAD
Risk Manager QRM QRM / QRM Light4 QRM VM3 / QRM
Light VM4
QRM SW3 / QRM
Light SW4
Vulnerability
Manager
QVM QVM3 QVM VM3 QVM SW3