1. CONQUER THE UNKNOWN
SENSE IT AND ACT
Chris Meenan
December 27, 2023
Director QRadar Offering Management and Strategy
IBM #QRADAR
2. 2 IBM Security
Today’s security challenges
COMPLIANCE
HUMAN
ERROR
SKILLS GAP
ADVANCED
ATTACKS
INNOVATION
TIME
3. 3 IBM Security
Conquer the unknowns
Manage Risks and
Vulnerabilities
Insider
Threats
Incident
Response
Secure
the Cloud
Critical Data
Protection
Advanced and
Persistent Threats
Compliance
5. 5 IBM Security
Event Correlation
and Log Management
IBM QRadar Security Intelligence
SIEM LAYER
Incident Response
Orchestration
Cognitive Security
Threat Intelligence
Hunting
User and Entity Behavior
ABOVE THE SIEM
New Security Operations Tools
BELOW THE SIEM
IBM QRadar – An integrated ‘Above SIEM’ solution for the SOC
7. 7 IBM Security
Advanced Threat Detection : How can organizations…
Address these concerns:
• Identify threats in real time and escalate to identify
the most critical ones to focus on
• Detect long and slow attacks
• Avoid alert fatigue and minimize the chance of
missing alerts in the noise of event data
• Identify threat actors, malware, campaigns and the
attack vectors exploited in the face of skills and
knowledge gaps and ever growing threat variety
8. 8 IBM Security
Advanced and persistent threats
SINGLE, REAL-TIME ATTACK VIEW
Intelligently gathers all attack related activities
into a single pain of glass and updates in real
time as attack unfolds minimizing noise
BUSINESS DRIVEN PRIORITIZATION
Automatically adjusts severity based on
business impact, and evidence as attack
progresses
COGNITIVE ANALYSIS
Accelerates alert triage and threat discovery
with cognitive incident analysis
COMPREHENSIVE INVESTIGATION
Enables full forensics analysis of log, network
PCAP, and Endpoint data from single screen
Asset
Database
Vulnerability
Data
Network
Behaviour
Analytics
Threat
Intelligence
Cognitive
Analysis
Event has been
triggered against
a high profile
asset
Asset is
vulnerable
to this specific
attack
Network
analytics
detects abnormal
behaviour
Outbound
connection has
connected to a
known ‘bad’ site
Watson reveals
wider campaign,
Malware
other IOCs
INCIDENT ALERT
9. 9 IBM Security
Insider Threats : How can organizations…
Address these concerns:
• Have credentials been stolen via phishing or
malware account takeover
• Are credentials being misused
• Are there double earners and career jumpers
stealing customer data and/or intellectual
property
• Are users performing activities that are putting
themselves and the organization at increased
risk
10. 10 IBM Security
Identify insider threats
IDENTIFY AT RISK USERS
Account takeover, disgruntled
employees, malware actions
STREAMLINED INCIDENT
INVESTIGATIONS
Immediate insights into risky user
behaviors, action and activity history
360°ANALYSIS
Performs analysis of activities at the
end point, insights from network data,
and cloud activities
FAST TIME TO VALUE
Deploys in minutes from the IBM App
Exchange and leverages existing
QRadar data sets immediately
Behavioural
and peer group
analytics
Network
Threat
Analytics
Machine
Learning
Cloud
Analytics
Cognitive
Analysis
Unusual
resource
access
Sensitive
customer
data copied
Unusual amounts
of data copied to
file sharing/social
media
Abnormal
salesforce
Account
access
Watson reveals
account
compromised
by spyware
Risk Level
11. 11 IBM Security
Cloud Security : How can organizations…
Address these concerns:
• What cloud services are being used and
who is using them
• Identify malicious and suspicious activities
in cloud services
• Insider threats and stolen credentials being
used to access cloud services
• Copying of sensitive and customer data to
unapproved cloud services
12. 12 IBM Security
Securing the cloud
IDENTIFY CLOUD APPS BEING
USED
Analyses proxy logs, with threat
intelligence from IBM X-Force, combined
with asset and use data to determine who
is using what, how much they are using,
and how risky it is
BUSINESS APPS VISIBILITY
Native cloud usage collection enabling
visibility into what is going on in my
environment (O365, Salesforce, AWS,
etc.) and if it is it malicious
QUICKLY FIND THREATS IN THE
CLOUD
Immediately discovers malicious activities
in the cloud using out of the box analytics
and Apps from the App Exchange
Entity
behavioural
Analytics
X-Force
Threat
Intell
Network
Threat
Analytics
Machine
Learning
User
Behaviour
Analysis
Discover
cloud
services
What
Risk do
they pose
Is customer,
sensitive,
potentially
malicious data
being transferred
Office 365
access
location
abnormal
User account
has been
compromised
Risk Level
13. 13 IBM Security
Vulnerabilities and Risks : How can organizations…
Address these concerns:
• Where are my highest risks
• What vulnerabilities do I have that are being
actively attacked
• Are my critical data and systems exposed
• Use real-time vulnerability data to prioritize
threats
• Exposure to current high risk vulnerabilities
and malware campaigns
14. 14 IBM Security
Risk and vulnerability management
SINGLE VIEW OF VULNERABILITIES
Single centralized view of all vulnerabilities
with their status from multiple sources including
endpoint, remote and internal vulnerability
assessment technologies
PRIORITIZE BY THREAT AND
BUSINESS IMPACT
Combines threat intelligence, vulnerability
status, security telemetry data, and network
communications to assess true vulnerability risk
to exploitation from threats
WHAT IS BEING EXPLOITED
Reveals what vulnerabilities are being actively
exploited within the organization, and in the wild
by threat actors and malware that represent a
significant risk and need to be addressed
urgently
INCREASED VISIBILITY
Built in scanner for quickly configured scanner
and event driven scanning lowering risk of new
asset / device vulnerability
Built-in and
3rd party
support
Network
topology
analysis
X-Force
Threat
Intell
Network
topology
analysis
Threat
Detection
Correlation
Discover
vulnerabilities
Understand
Risk of
exploitation
from threats
and malware
campaigns
Entities
being accessed
by untrusted
and suspect
sources
Vulnerabilities
being activity
exploited
in the
infrastructure
Risk Level
Patches
available
but not applied
15. 15 IBM Security
Critical Data : How can organizations…
Address these concerns:
• What data do I have
• Where is it
• What is the nature of it, is it critical, PII or
sensitive data
• What systems and users can access it
• Is it at risk to exploitation, exfiltration and
compromise
16. 16 IBM Security
Critical data protection and GDPR
FIND IT
Automatically identifies servers, services,
databases, apps, and devices through
real-time behavioral profiling of log, flow
and vulnerability data.
WHO CAN ACCESS IT
Collects infrastructure topology configuration
determining who is allowed to access servers,
services and apps
WHERE DOES IT GO
Utilizes network insights to track network
communications, behavior and content to
identify critical data movement and exfiltration
IDENTIFY EXFILTRATION
Analyses DLP, network insights, threat
intelligence and user behaviors to highlight
risky data transfer
Behavioural
Analytics and
Profiling
Vulnerability
Scanning and
Integration
x-Force
Threat
Intell
Network
Threat
Analytics
Context
Driven
prioritization
Discover
File,
Database
And
Applications
Identify
Vulnerability
Risk
Entities
being accessed
by potentially
malicious
sources
Personal
Identification
and
business
data
detected within
network
Security
incident
detected
Severity
automatically
increased
Risk Level
17. 17 IBM Security
Incident Response : How can organizations…
Address these concerns:
• Understand step by step what happened in a
security incident and breach
• Respond quickly and effectively to a security
incidents
• Maintain compliance with breach and security
incident response requirements
• Understand what threats the organization is
experiencing and the effectiveness and cost of
response and management
• Be ready to respond to a breach or the next
major zero day
18. 18 IBM Security
Orchestrated response
ORCHESTRATED RESPONSE
ALIGNING PEOPLE , PROCESS AND
TECHNOLOGY
Optimized, dynamic response plans with
orchestration / automation functions and
collaboration tools reduce skills dependencies
and improve response times
AUTOMATED, INTELLIGENT
ENRICHMENT
Identify affected assets. Gather related system
information, forensic evidence, and threat
intelligence to inform decisive action.
REGULATORY INTELLIGENCE
Ensure compliance with global privacy breach
disclosure requirements
DRIVE CONTINUOUS IMPROVEMENT
Tabletop simulations test your people, process,
and technology and provide training, too.
Cognitive
analytics
Endpoint
Integration
Network
Insights and
PCAP
Orchestration
and
Playbooks
Built-in
compliance
intel
End point
activity
visibility
And
Action
Network
data
forensics
gathering
additional
evidence
Orchestrated
response
with best
practice
playbooks
and automated
response
Co-ordinated
response
across
Sec Ops,
IT,
Legal and
Comms
Response Speed
Incident
analysis and
root cause
20. 20 IBM Security
Agile, elastic, cloud-enabled platform
IBM QRadar
Security Intelligence Platform
SAAS, Term or Perpetual
• Available as SAAS from IBM Cloud
• Cloud deployment in AWS, Azure and IBM
Cloud
• On premise and hybrid deployment as
appliance, virtual or software node
SCALABLE ELASTIC ARCHITECTURE
• Easy-to-deploy, scalable model using
clustered distributed nodes
• Offers automatic failover and disaster
recovery
• Supports multi-tenanted deployment for
MSSP and large enterprises
21. 21 IBM Security
Driving simplicity and accelerated time to value
• Automatic discovery, interpretation and
classification of security data sources
• Immediate discovery of network
assets, devices, users and applications
• Out-of-the-box threat detection,
intelligence and compliance reports
• Automated updates of threats, vulnerabilities
• 100+ certified apps to jump start
security operations and integrations
• Built in Resilient response plans and
regulatory compliance mandates
“These tools enable us to
manage more than 2.2 million
events daily and still keep
our heads above water.”
David Shipley, Director of Strategic Initiatives and IT
University of New Brunswick
“IBM QRadar is nearly three
times faster to implement
across the enterprise than
other SIEM solutions.”
2014 Independent Research Study
Ponemon Institute, LLC
22. 22 IBM Security
An assistant ready to help
ENSURE QRADAR DEPLOYMENT IS
FULLY OPTIMIZED AND EFFECTIVE
Supports simple and easy deployment of apps,
use cases and system optimization
IDENTIFY NEW AND UPDATED
USE CASES
Analyses QRadar environment (e.g., data and
apps) and recommends new and updated apps
and content packs (use cases)
CONFIGURATION CHANGES
Analyses QRadar environment recommends
configuration changes
HELP CENTER
Easily get help with use cases, support, tips,
user groups, forums, open mics, services and
much more
23. 23 IBM Security
Empower your team with a cognitive advisor
APPLIED COGNITIVE SECURITY
• Tap a vast amount of external security
knowledge to investigate and qualify alerts
from any source
• Actionable insights derived from both local
context and external threat intelligence
• Precise and evidence driven analysis that can
be reviewed and taught
BENEFITS
• Accelerates alert triage with more automation
and analysis depth
• Reduces risk of missing threats
• Optimizes incident response processes with
comprehensive threat information and data
• Increases SOC Analyst learning and
awareness of threat environment
24. 24 IBM Security
Vibrant ecosystem ensures success today and in the future
COLLABORATE
Share and action threat intel. Build and share
new security intelligence use cases and apps
INNOVATION
New agile capabilities from customers,
partners, IBM, Security research and other
vendors
VALIDATED CONTENT
Tested, validated content minimizing risk,
ensuring consistency and quality
SPEED
Jump start security operations with feature rich
extensions and integrations
DIFFERENTIATION
Enables service provider and business partner
value add and differentiation
25. 25 IBM Security
IBM Security Intelligence and Operations Services
Assess, plan and develop your security maturity and operations
Build next generation
security operations
• Deploy intelligence-driven security capabilities
• Optimize your ability to react to and contain events,
while reducing impact
Assess and transform
your security posture
• Identify capability gaps, plan and deploy a robust
strategy and roadmap to close them
• Gain insight to prioritize security investments
OPTIMIZED
BASIC PROFICIENT
PLAN
DEPLOY
OPTIMIZE
BUILD
DESIGN
26. 26 IBM Security
And local partners to assist
Assess, plan and develop your security maturity and operations
27. 27 IBM Security
Advanced Threat
Detection
Insider Threat
Securing the
Cloud
Risk and Vuln
Management
A security operations platform for todays and tomorrows needs
Critical Data
Protection
Compliance
Incident
Response
Fast to deploy, easy to manage,
and focused on your success
28. 28 IBM Security
Learn more about IBM Security
countries where IBM delivers
managed security services
industry analyst reports rank
IBM Security as a LEADER
fastest growing of the Top 5
security vendors
clients protected
including…
133
25
No. 1
12K+
90% of the Fortune 100
companies
Join IBM X-Force Exchange
xforce.ibmcloud.com
Visit our website
ibm.com/security
Watch our videos on YouTube
IBM Security Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
31. 31 IBM Security
IBM QRadar security intelligence by the numbers
6K+ customers
100+ applications
10+
threat intelligence sources (STIX / TAXII, X-Force, Threatstream, Recorded Future, FireEye, RiskIQ,
Threat Connect, Custom)
1,664
unique report (e.g., Compliance, Configuration and Change Management, Executive, Log Source,
Network Management, Security, Usage Monitoring, Virtual Infrastructure, Vulnerability Management)
632 correlation rules / building blocks
500+ supported devices, systems, applications and cloud services
20 third-party vulnerability scanners (e.g., Qualys, Rapid7, Tenable, Tripwire, AppScan, …)
5 flow sources (NetFlow, J-Flow, sFlow, vFlow, and QFlow)
1.5M+ EPS implementations
< 5 month average to fully implement
32. 32 IBM Security
~67% replaced an average of 6 other security solutions with QRadar
~33% of the time to deploy than other SIEM vendors
70% did not need Lab Services to install QRadar
80% recognized value within a week
79% reduced time spent on investigations
80% reduced time to find threats and malicious activities with QRadar
Independent QRadar Study by Ponemon Institute
33. 34 IBM Security
Some Key Messages From QRadar Customers
70 percent of respondents say it was not necessary to purchase any
additional professional services to help with QRadar since the initial
implementation. If they did, on average 2 days were purchased.
34. 35 IBM Security
Out of the Box
Most companies see value in out-of-box correlation rules. 48 percent of respondents say it is very valuable and 39
percent say it is somewhat valuable. Only 2 percent say it is not very valuable. On average, 29 custom correlation
values have been developed.
35. 36 IBM Security
Value of our correlation + behavior + contextual data
Respondents see an average of 15.4 QRadar offenses on a daily basis. Sixty-four percent say they are able to
investigate all the daily offenses generated.
36. 37 IBM Security
Adaptive integration with ecosystem partners
Ready for IBM Security Intelligence
IBM PartnerWorld
100+ ecosystem partners, 500+ QRadar integrations
37. 38 IBM Security
Analyst recognition
IBM Security Intelligence
Leader in the Gartner Magic Quadrant since 2009
Security Information and Event Management (SIEM)
#1 in Forrester Security Analytics Wave
#1 in Cyber Security Analytics Platform Frost and Sullivan
“IBM Security has excelled in delivering a platform with extensive capabilities in cybersecurity
analytics. It has been able to provide security solutions with notable wins across multiple
verticals as well as innovation to bring extended capabilities, such as user behaviour analytics,
into the fold.
IBM has continuously expanded its capabilities in developing the cognitive security operations
center (SOC) through rapid integration of QRadar with Watson, which helps customers achieve
an automated and secure IT infrastructure.”
Frost and Sullivan
38. 39 IBM Security
A large European banking company (ABLV) gained superior threat
detection and a richer view of enterprise activities
1 million:1
Reduction in security events
99 percent
Decreased investigation time with immediate
detection and notification of anomalies
Business challenge
Integrate data from disparate systems and application sources in order to better detect
and respond to threats.
IBM Security Intelligence and Sense Analytics solutions
Gained superior threat detection and a richer view of enterprise activities, realizing a 1 million:1
reduction in security events, 99 percent decrease in investigation time, and immediate detection
and notification of anomalies.
Detect, analyze, and prioritize threats
39. 40 IBM Security
An international energy company reduces billions
of events per day to find those that should be investigated
An international energy firm analyzes
2 billion
events per day to find
20-25
potential offenses to investigate
Business challenge
Reducing huge number of events to find the ones that need to be investigated
Automating the process of analyzing security data
IBM Security Solutions (QRadar SIEM, QFlow, Risk Manager)
Combined analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover
patterns of unusual activity humans miss and immediately block suspected traffic
Optimize threat analysis
40. 41 IBM Security
A financial information provider hardens defenses against threats and
fraud
financial information provider tracks
250 activity baselines
Business challenge
Detect wide range of security threats affecting public-facing Web applications
Help identify subtle changes in user behavior that could indicate fraud or misuse
Exceed ISO 27001 standard
IBM Security Solutions (QRadar SIEM, QFlow, X-Force, Network IPS)
Combine analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover
patterns of unusual activity humans miss and immediately block suspected traffic
and saved
50-80%
on staffing versus alternative solutions
Optimize risk management
41. 42 IBM Security
Cognitive
Security
User Behavior
Analytics
Easily and
quickly deployed
solution for Insider
threats available
from the
App Exchange
delivering insights
and value in
minutes
Incident
Response
Build and
execute an
automated
incident
response
plans
App Exchange
and EcoSystem
Open collaborative
app exchange
and platform
enabling easily
deployable secure
apps on QRadar
fast tracking
security operations
rollout and delivering
real agility
QRadar
on Cloud
Flexible solution
that can deploy as
either a true SaaS
offering or combine
with hybrid cloud
environments to
improve visibility
into cloud-based
applications
Network
Forensics
Incident
forensics
and packet
captures
CyberTap
Client
Needs
Vulnerability
and Risk
Management
Real-time
vulnerability
scanning and
threat based
prioritization
Platform
evolution
based
on
client
needs
IBM QRadar: Continued innovation based on client needs
2013 2014 2015 2015 2016 2016 2017
Innovative
cognitive
solution to
address
SOC
workload
and skill
shortages
deployed
quickly and
easily from
the App
Exchange
42. 43 IBM Security
COGNITIVE, CLOUD,
and COLLABORATION
Interpret, learn and process
shared security intelligence,
that is designed by and for
humans, at a speed and scale
like never before
INTELLIGENCE, INTEGRATION,
and ORCHESTRATION
Leverage analytics to collect
and make sense of massive
amounts of real-time data flow,
prioritize events, and detect
high-risk threats in real-time
The next era of security
PERIMETER
CONTROLS
Deploy static defenses
to guard or limit the flow
of data, including firewalls
antivirus software and
web gateways
44. 45 IBM Security
Next generation SOC functions
THREAT
INTELLIGENCE
External data feeds
on malicious
entities
THREAT
HUNTING
Searching
cyber
investigations
SECURITY
ANALYTICS
Aggregation,
automated detection,
and use cases
INCIDENT
RESPONSE
Orchestrated
security response
45. 46 IBM Security
IBM QRadar component architecture
IBM QRadar
Security Intelligence
IBM QRadar
Data Node
IBM QRadar
Processor
IBM QRadar
Collector
Deployed in the cloud
IBM QRadar
Network Insights
IBM QRadar
Scanner
IBM QRadar
Network Insights
IBM QRadar
Forensics
IBM QRadar
Packet Capture
IBM QRadar
Network Insights
IBM QRadar
App Node
46. 47 IBM Security
Prioritized incidents
and user risk
Incident identification
• Extensive data collection, storage, and analysis
• Real-time correlation, behavioural and threat intelligence
• Automatic asset, service and user discovery and profiling
• Activity baselining and anomaly detection
• Easily deployed use cases from
App Exchange
Embedded
Intelligence
QRadar
Sense
Analytics
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
EXTENSIVE DATA SOURCES
IBM Sense Analytics
Advanced analytics for threat prevention, detection, and response
47. 48 IBM Security
Prioritized
incidents
Embedded
Intelligence
Extend clarity around incidents and risks with in-depth forensics data
IDENTIFICATION
• Data collection,
storage, and analysis
• Real-time correlation
and threat intelligence
• Automatic asset, service
and user discovery and profiling
• Activity baselining and
anomaly detection
REMEDIATION
• Incident forensics
• Around-the-clock
management, monitoring
and protection
• Incident response
EXTENSIVE
DATA
SOURCES
48. 49 IBM Security
IBM QRadar Intelligence and Analytics Platform
Advanced
Threat
Detection
Insider
Threat
Detection
Risk &
Vulnerability
Management
Critical Data
Protection
Incident
Response
Compliance
Reporting
Securing
Cloud
USE
CASES
ACTION
ENGINE
COLLECTION
DEPLOYMENT MODELS
Behavior-Based
Analytics
PRIORITIZED INCIDENTS
Context-Based
Analytics
Time-Based
Analytics
QRadar
Sense
Analytics
Third-Party
Usage
Automation Workflows
Dashboards Visualizations
ON PREM AS A SERVICE CLOUD HYBRID
Business
Systems
Cloud Infrastructure Threat Intel Applications
Capability
and Threat
Intelligence
Collaboration
Platforms
App
Exchange
X-Force
Exchange
49. 50 IBM Security
QRadar API Components
IBM QRadar SDK for app development and sharing
New open API for rapid innovation and creation
Insider Threats Internet of Things Incident Response
Cybersecurity
Use Cases
• Market, technology, business specific solutions
• Service provider differentiation
• Seamlessly integrated workflow
• Economic and operational benefit
• More flexibility and less complexity
51. 52 IBM Security
IBM Security App Exchange
VALIDATED CONTENT
Tested, validated content minimizing risk,
ensuring consistency and quality
INNOVATION
New agile capabilities from partners, IBM,
Security research and other vendors
DIFFERENTIATION
Enables service provider and business partner
value add and differentiation
SPEED
Jump start security operations with feature rich
extensions and integrations
A Platform for
Security Intelligence Collaboration
Single collaboration platform for rapidly delivering
new apps and content for IBM Security solutions
52. 53 IBM Security
Extending QRadar to the Cloud
FLEXIBLE
A full suite of upgradeable security analytics
offerings. Try buy (Q1 2017)
COST EFFECTIVE
Acquire and deploy quickly
with no CapEx to purchase
CHOICE
Datacenters in Washington, Toronto, Dallas, Sau
Paulo, Frankfurt, with more to come
MULTI TENANT FOR MSSP
Supports multi-tenanted for MSSP cost
effectiveness
PEACE OF MIND
Trusted IBM security service professionals
available to provide guidance and meet your
security requirements
• Cloud-based offering of the #1 Security Intelligence solution
• Protects against threats and reduces compliance risk
• Leverages real-time threat intelligence from X-Force
• Collects data from both on-premise and cloud resources
Threat Indicators
Security devices
Servers and mainframes
Network and virtual activity
Data activity
Application activity
Configuration information
Vulnerabilities and threats
Users and identities
53. 54 IBM Security
QRadar for Managed Security Service Providers
MULTI-TENANT
Enables secure, rapid and cost effective delivery
of security intelligence services
SAAS OPTION
Technology quickly delivered globally from the
IBM cloud as a service, with global datacenters
SCALABLE
Scales from smallest to largest customers with
centralized management and eyes on glass
AUTOMATED
Drives simplicity and accelerates time-to-value
for service providers
Elastic
architecture
Shared modular
infrastructure
• New centralized views and incident management
• Mixed single- and multi-tenanted deployment options
• True horizontal, snap-on scalability capabilities
• Extensive APIs and SDK for enterprise integration, extension and differentiation
• System configuration template support
• Cloud ready with support for 400+ out-of-the-box devices
Sense Analytics
Threat Detection
One Platform,
Unified Visibility
The Power to
Act – at Scale
• Behavioral
• Contextual
• Temporal
• Extensible
• Scalable
• Easily deployed
• Prioritization
• Collaboration of threat
data
• Automated response
54. 55 IBM Security
Traditional SIEM
7 products from 7 vendors
IBM Security Intelligence
and Analytics
Flows
Packets
Vulnerabilities
Configurations
Logs
Events
Response
IBM Security QRadar
Security Intelligence Platform
UBA
Reduce costs, increase visibility with an integrated platform
An integrated, unified architecture
in a single web-based console
56. 57 IBM Security
Cyber threats rely on our networks to carry our their objectives
• >99% of cyber attacks traverse the network
in some way
– Email/Web
– Reconnaissance
– Command and control
– Data collection…
• Only insider attacks collecting local system
data and posting it to removable media do
not
– Source: Enterprise Management Associates (EMA)
• Threat activity inherently leaves a trail of
evidence across our networks
– So the data needed to detect these threats is there if
you look deep enough
Most-common attack types1
57. 58 IBM Security
Bringing visibility to today’s cyber security challenges
• Session reconstruction and application analysis
• Extraction of key metadata and content
• Full payload and application content analysis
• Real-time analysis of network traffic
• Intrinsic Suspect Content detection
58. 59 IBM Security
QRadar QNI – Completing the picture
BASIC
ENRICHED
CONTENT
• What is out there?
• Who is talking to who?
• What files and data are being
exchanged?
• Do they look malicious?
• Do they contain any important or
sensitive data?
• Is this malicious application use?
• Is this new threat on my network?
• If so, it where is it and what
did it do?
Filling in the important gaps
59. 60 IBM Security
Addresses high-value threat detection and compliance use cases
Malware Detection
and Analysis
Observe and analyze artifacts –
names, properties, movement,
suspect content
Phishing Email and
Campaign
Detection
Pre-empt and react to malicious
emails by analyzing sources,
targets, subject, and content
Data Exfiltration
Detection
Identify and track files – DNS
anomalies, sensitive content,
aberrant connections, aliases
Lateral Movement
Attack Detection
Trace anomalous
communications - recon, data
transfers, rogue/malicious actors
Identify
Compliance Gaps
Continuous monitoring of
enterprise, industry and
regulatory policy compliance
User Behavior
Analytics
Recognize high-risk users –
targets for phishing, negative
sentiment, suspicious behaviors
Discover the
network and
services
Discover servers, devices,
endpoints, applications, services
and create and inventory
Improve threat
detection accuracy
with context
Bring additional context to
anomalous behaviors
60. 61 IBM Security
In 2012, 38% of
targets were
attacked
again once the
original incident
was remediated.
QRadar Incident Forensics – Responding quickly to incidents
Attackers spend
an estimated 243
days on a
victim’s network
before being discovered
Has our organization
been compromised?
When was our
security
breached?
How to avoid
becoming a
repeat
victim?
What resources and
assets are at risk?
What type
of attack is
it?
How do we identify
the attack?
61. 62 IBM Security
Our Security Intelligence platform delivers powerful capabilities IT Security Operations Teams
Tells you exactly when
an incident occurred
Delivers intelligence to guide
forensics investigations
Merges powerful forensics
capability with simplicity
Next generation network forensics: know what happened, fast
Introducing QRadar Incident Forensics
Leveraging the strengths of QRadar to optimize the process of investigating
and gathering evidence on advanced attacks and data breaches
• Visually construct threat actor relationships
• Builds detailed user and application profiles across
multiple IDs
• Full packet capture for complete session reconstruction
• Unified view of all flow, user, event, and forensic
information
• Retrace activity in chronological order
• Integrated with QRadar to discover true offenses and
prioritize forensics investigations
• Enables search-driven data exploration to return
detailed, multi-level results in seconds
62. 63 IBM Security
Providing complete coverage and enhanced threat detection
Network Tap
QRadar
QRadar
Network
Insights
QRadar Incident
Forensics
QRadar
Network
Packet
Capture
Incident Detection
& Qualification
Root Cause
Analysis
QRadar
Processors
Endpoint Network Cloud
Additional
Context
63. 64 IBM Security
IBM QRadar Vulnerability Manager
First VA solution integrated
with Security Intelligence
Dramatically improving
actionable information through
rich context
Reducing total cost of
ownership through product
consolidation
Providing unified view of all
vulnerability information
Log
Manager
SIEM
Network
Activity
Monitor
Forensics
Vulnerability
Manager
Security Intelligence is extending and transforming Vulnerability Management
– just as it did to Log Management
Solution Highlights
64. 65 IBM Security
Not Active: By leveraging Network Insights, QVM can tell if
the vulnerable application is active
Patched: By leveraging BigFix, QVM understands what
vulnerabilities will be patched
Blocked: By leveraging network topology, QVM can
understand what vulnerabilities are blocked by firewalls and
IPSs and XGS
Critical: By leveraging its vulnerability knowledge base,
remediation flow and QRM policies, QVM can identify
business critical vulnerabilities
At Risk: By utilizing X-Force threat and SIEM security
incident data, coupled with QFlow network traffic visibility,
QVM can tell if vulnerable assets are communicating with
potential threats
Exploited: By leveraging SIEM correlation and XGS data,
QVM can reveal what vulnerabilities have been exploited
IBM QRadar Vulnerability Manager: How it works