Mitigate attacks with IBM BigFix and Q-Radar

© 2015 IBM Corporation
Mitigate attacks with IBM BigFix and QRadar
Rich Caponigro
IBM BigFix Security Product Manager
cappy@us.ibm.com
Don’t drown in a sea of cyber-threats

2© 2015 IBM Corporation
Please Note:
!  IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without
notice at IBM’s sole discretion.
!  Information regarding potential future products is intended to outline our general product direction and it
should not be relied on in making a purchasing decision.
!  The information mentioned regarding potential future products is not a commitment, promise, or legal
obligation to deliver any material, code or functionality. Information about potential future products may
not be incorporated into any contract.
!  The development, release, and timing of any future features or functionality described for our products
remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending
upon many factors, including considerations such as the amount of multiprogramming in the user’s job
stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no
assurance can be given that an individual user will achieve results similar to those stated here.

Agenda
!  Cyber security today
!  BigFix and QRadar SIEM tighten endpoint security
!  New! - BigFix plus QRadar close the risk management loop
!  Q & A

Complexity Architecture Resources
!  Heavy, resource-intensive
agent(s)
!  Multiple point tools &
agents
!  Inability to maintain and
prove compliance with
complex and evolving
regulations
What Organizations face
!  Limited IT budget and
staff
!  Shortage of qualified
personnel
!  Unable to scale over
widely dispersed
locations
!  High costs and risks
associated with
sophisticated threats
!  Inability to remediate and
report on compliance
issues and vulnerabilities
across the environment

Vulnerabilities Will Be Exploited!
Source: Verizon Data Breach Investigation Report 2015
Hackers are capitalizing on first few week’s of CVE availability, knowing orgs
can’t patch effectively
Needed – quick identification, prioritization, and remediation!
Almost half of new CVE’s are
exploited in the first 4 weeks

IBM is uniquely positioned to offer integrated threat protection
A dynamic, integrated system to disrupt the lifecycle of advanced attacks and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security
Intelligence Ecosystem
•  Share security context
across multiple products
•  100+ vendors, 400+ products
IBM Security Network Protection XGS
Prevent remote network exploits
and limit the use of risky web applications
Smarter Prevention Security Intelligence
IBM Emergency Response Services
Assess impact and plan strategically
and leverage experts to analyze data
and contain threats
Continuous Response
IBM X-Force
Threat Intelligence
Leverage threat intelligence
from multiple expert sources
IBM Trusteer Apex Endpoint
Malware Protection
Prevent malware installation
and disrupt malware communications
IBM Security QRadar Security
Intelligence
Discover and prioritize vulnerabilities
Correlate enterprise-wide threats and detect
suspicious behavior
IBM Security QRadar
Incident Forensics
Retrace full attack activity, search for breach
indicators and guide defense hardening
IBM Guardium Data Activity Monitoring
Prevent power user abuse and misuse
of sensitive data
IBM BigFix
Automate and enforce continuous
compliance of security and regulatory
policies

QRadar SIEM
Embedded intelligence enabling automated offense identification
Suspected
IncidentsServers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Automated
Offense
Identification
•  Unlimited data collection,
storage and analysis
•  Built in data classification
•  Automatic asset, service and
user discovery and profiling
•  Real-time correlation
and threat intelligence
•  Activity baselining
and anomaly detection
•  Detects incidents
of the box
Embedded
Intelligence
Prioritized Incidents

IBM BigFix
Bridging the Gap between Security and IT Ops
ENDPOINT
SECURITY
Discovery
and Patching
Lifecycle
Management
Software Compliance
and Usage
Continuous
Monitoring
Threat
Protection
Incident
Response
ENDPOINT
MANAGEMENT
IBM BigFix®
FIND IT. FIX IT. SECURE IT.
…FAST
Shared visibility and control
between IT Operations
and Security
IT OPERATIONS SECURITY
Reduce operational costs while improving your security posture

Extensive Data Sources Deep Intelligence
Exceptionally Accurate and
Actionable Insight+
=

"  Near real-time patch feed from BigFix to QRadar Increases vulnerability database accuracy improving
offense and risk analytics to limit potential offenses
"  Establishes baseline for endpoint states and improves alerting on variations to detect threats
"  Represents AV/DLP alerts within consolidated enterprise security view helping correlate advanced
threat activities
"  Improves compliance reporting with deep endpoint state data
BigFix and QRadar tighten endpoint security
BigFix
endpoint

deep
intelligence

•  Physical
/
Virtual

•  On/oﬀ
network

•  Servers

•  Clients

•  POS,
ATM,
Kiosks

BigFix Fixlet status visualized in QRadar
10
Patches Critical Fix Configuration
Change
Record of who
made change

BigFix vulnerability data stored in QRadar asset database
11

Complementary capabilities by use case
QRadar target use case BigFix complementary capabilities
 Advanced threat
detection
  Full visibility of endpoint activity and state marrying anti-virus,
vulnerability information, and configuration data in real-time
  Quickly obtain answers to unique queries to understand security
incidents
  Rapid incident response, such as disabling DLLs being exploited
 Malicious activity
identification
  Guards against full range of malware and scans POP3 email and
Microsoft Outlook folders for threats
  Cross-reference threats real-time with a large, cloud-based database
 User activity
monitoring
  Enforces security baselines, passcode policies, security configurations,
anti-virus policies, patch management, and more
 Compliance reporting
and monitoring
  Provides company-wide reports instantly without polling systems to
assess the organization’s security compliance posture
  Continuous policy enforcement to help maintain compliance
 Fraud detection and
data loss prevention
  Automatically determines safety of dynamically-rated websites protecting
endpoints against web-based malware, data theft, lost productivity and
reputation damage
  Block or allow data being copied to or sent to a variety of delivery
channels

Coming soon – Closed-loop risk management
BigFix Compliance with QRadar Vulnerability Manager and Risk Manager deliver
real-time endpoint intelligence for closed-loop risk management
IBM QRadarIBM BigFix
Real-time endpoint
intelligence
Network anomaly
detection
Provides current
endpoint status
Correlates events
and generates alerts
Prompts IT staff
to fix vulnerabilities
•  Improves asset database accuracy
•  Strengthens risk assessments
•  Enhances compliance reporting
•  Accelerates risk prioritization
of threats and vulnerabilities
•  Increases reach of vulnerability
assessment to off-network endpoints
Integrated,
closed-loop
risk
management

IBM BigFix Compliance
Using BigFix Compliance, clients get value from:
"  Con$nuous
real-‐$me
enforcement
of
security
policies,
regardless
of
network
connec$on

status
signiﬁcantly
reduces
overall
security
risk

"  Supports
industry
and
regulatory
compliance
benchmarks
for
best
prac$ce
protec$on

"  Discovery
of
unmanaged
endpoints
and
Automa$c
patch
and
remedia$on
of
non-‐
compliant
systems
reduces
risk
and
labor
costs

"  Deploy,
update,
and
health
check
3rd-‐party
Endpoint
Protec$on
solu$ons

"  Policy
based
quaran$ne
of
non-‐compliant
systems

Lifecycle Inventory Patch Compliance Protection
BigFix Platform
More than 10,000 heterogeneous platform compliance checks
based on best practice regulatory benchmarks from CIS, PCI DSS, DISA STIG, USGCB

98% patch and update compliance rate on 4,000+ workstations
with 50% reduced labor costs
Infirmary Health System
Continuous security configuration compliance
Accurate, real-time visibility and continuous security configuration enforcement
Continuous compliance “set and forget”
•  No high-risk periods
•  Lower total cost
•  Continued improvement
•  Identify and report on any configuration drift
•  Library of 10,000+ compliance checks
(e.g., CIS, PCI, USGCB, DISA STIG)
Traditional compliance “out of synch”
•  High-risk and cost periods
•  Manual approach causes endpoints
to fall out of compliance again
Traditional versus Continuous
Time
Compliance
ContinuousTraditional
RISK
SCAP

QRadar Risk and Vulnerability Management
Discovery
and
Verification
Intelligent
Context
Driven
Prioritization
Automatic
Delegation
and
Assignments
•  Uncovers the weaknesses
•  Daily vulnerability and patch updates
•  Proven, certified scanning
•  Endpoints, assets, device configuration
•  Passive and active discovery
•  What assets are important ?
•  Where are the threats ?
•  Who is talking to who ?
•  What is blocked and patched already ?
•  What is out of compliance ?
•  Who needs to action
•  What needs to be done
•  Missing patches
•  Signatures
•  Configuration changes
Reporting
and
Alerting
•  What needs escalation
•  What is in and out of compliance
•  Dashboards and reports
•  APIs
Feedback
And
Compliance
Discovery and verification
Intelligent
Context driven
Prioritization
Delegate and assign
Updated
Posture

BigFix Compliance plus QRadar
Capability
BigFix
Compliance
QRadar
Vuln Mgr
QRadar
Risk Mgr
BigFix +
QRadar
Continuous
policy monitoring
ü
Endpoint
ü
Network
üü
Endpoint
quarantine /
remediation
ü ü
Vulnerability
discovery
ü
Real-time Windows
ü
Heterogeneous scan
üü
Real-time updates
Asset discovery ü ü üü
Risk analysis /
reporting
ü
CVSS
ü
Correlated threat
üü
Real-time updates
Closed loop
action
delegation /
assignment
üü
Vulnerabilities Will Be Exploited!
Quick identification, prioritization,
and remediation!
BigFix plus QRadar address the highest security risks first!
High priority risks sent to BigFix for action
•  Deeper, timely endpoint data
•  Faster remediation of critical risks

STEP ONE
Provide Continuous Insight
across all endpoints.
INCLUDING off-network
laptops
STEP FOUR
Expedite remediation of
ranked vulnerabilities,
configuration drift and
irregular behavior
STEP TWO
Enforce Policy Compliance
of Security, Regulatory &
Operational Mandates.
STEP THREE
Prioritize vulnerabilities and
remediation activities by
risk
•  QRadar correlates assets &
vulnerabilities with real-time
security data
•  It then sends the prioritized
list to BigFix administrators
•  Machine Name, OS, IP Address, Malware
incidents etc.
•  Provides details on physical and virtual servers,
PCs, Macs, POS devices, ATMs, kiosks, etc.
•  All known CVEs exposed on an endpoint
•  Quarantine endpoints until
they can be remediated
•  Patch or reconfigure endpoints
IBM BigFixIBM BigFix
IBM BigFix
•  BigFix sends vulnerability and patch data to
QRadar, automatically ensuring that QRadar's
asset database is updated with current data
Extending QRadar’s reach and simplifying incident response with BigFix
Legend
•  Avail Today
•  Coming Soon

BF Compliance endpoint view of QRadar prioritized vulnerabilities
Endpoint info QRadar Risk Score CVEs
Relevant fixlets
Subject to change

BigFix CVE Action Status
Subject to change
Action Status

Prioritized CVE view
Subject to change
Endpoints affectedCVE ID and risk score

BigFix / QRadar Integration Use Cases
1. BigFix fixlet and vulnerability status messages passed to QRadar
–  Customer value: Actions that occur and vulnerabilities that exists on endpoints can be passed to QRadar for
correlation with other security events. BigFix patch status is relayed to QRadar in a very timely fashion and is
stored in the asset database.
2. QRadar can generate a list of assets that do not have BigFix installed, showing
how many vulnerabilities could be remediated on each asset if BigFix were
installed
–  Customer value: Rapid identification of rogue or unmanaged assets and improved detection and reaction time.
Provides strong case for managing assets with BigFix.
3. QRadar (QVM) assigns high-risk vulnerabilities (i.e. those determined via QRM
policies) to BigFix for remediation or quarantine; also allows tracking should an
exploit occur
–  Customer value: Typical BigFix customers don’t have a way to figure out which patches should be assigned
high priority. With this integration, high-risk vulnerabilities could be easily assigned to operations personnel as
needed. BigFix administrators gain a way to know which patches should be considered for high priority “out of
band” patching, and can initiate remediation immediately. This reduces risk of initial exploit, exploit propagation,
and improves productivity.
Typical QRadar customers don’t have a way to isolate vulnerable or compromised devices to limit potential
exposures. With this integration, high-risk vulnerabilities could be easily isolated form the network allowing only
BigFix communications. QRadar administrators gain a way to immediately react to possible exposures and
have BigFix Administrators remediate the vulnerability. This reduces risk of initial exploit, exploit propagation,
and improves productivity
AvailableTodayComingSoon
*The
Informa$on
regarding
poten$al
future
products
is
intended
to
outline
our
general
product
direc$on
and
it
should
not
be
relied
on
in
making
a
purchasing
decision.
The
informa$on
men$oned
regarding

poten$al
future
products
is
not
a
commitment,
promise,
or
legal
obliga$on
to
deliver
any
material,
code
or
func$onality.
Informa$on
about
poten$al
future
products
may
not
be
incorporated
into
any
contract.
The

development,
release,
and
$ming
of
any
future
features
or
func$onality
described
for
our
products
remains
at
our
sole
discre$on.

Subject
to
IBM
NDA

Endpoint & Threat Focal Points
Sales Leaders:
•  Anthony Aurigemma, WW Director of E&M Sales aaurigem@us.ibm.com
•  Mark Phinick, WW Sales Leader mphinick@us.ibm.com
•  Josh Stegall, WW Channel Sales Leader jstegall@us.ibm.com
•  Jim Gottardi, NA Sales Leader Jim.Gottardi@us.ibm.com
•  Teng Sherng Lim (T.S.), AP Sales Leader limtsh@sg.ibm.com
•  John Seyerle, EU Sales Leader JSEY@ch.ibm.com
Technical Leaders & Product Management:
•  Jim Brennan, Dir, Product Mgt & Strategy jim.brennan@us.ibm.com
•  Murtuza Choilawala, Pgm Director, PM & Strategy murtuza@us.ibm.com
•  Rich Caponigro, BigFix Compliance PM cappy@us.ibm.com
•  Lee Wei, WW Technical Sales Leader leewei@us.ibm.com
•  Alex Donatelli, CTO for Endpoint Security alex.donatelli@it.ibm.com
–  George Mina, Product Marketing geemin11@us.ibm.com
–  Rohan Ramesh, Product Marketing rohanr@ca.ibm.com
–  Mark Taggart, WW Sales Empowerment mttaggar@us.ibm.com
Key Contacts

Website: www.bigfix.com
Twitter: @IBMBigFix

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or
both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on
others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security

Mitigate attacks with IBM BigFix and Q-Radar

More Related Content

What's hot

Viewers also liked

Similar to Mitigate attacks with IBM BigFix and Q-Radar

More from Francisco González Jiménez

Recently uploaded

Mitigate attacks with IBM BigFix and Q-Radar