Uploaded byDmitry718707
PPTX, PDF185 views

QRadar Security Intelligence Overview.pptx

This document discusses IBM QRadar, a security intelligence platform. It addresses common security challenges faced by organizations like compliance issues, human error, skills gaps, and advanced attacks. The platform provides threat detection, incident response, and vulnerability management capabilities. It collects data from various sources and uses analytics, machine learning, and cognitive capabilities to detect threats. The document promotes QRadar's abilities to provide unified visibility, quickly identify issues, and enable automated and orchestrated responses. It also highlights QRadar's ecosystem of applications, services, and partners to help customers achieve security.

Embed presentation

Download to read offline
CONQUER THE UNKNOWN SENSE IT AND ACT Chris Meenan December 27, 2023 Director QRadar Offering Management and Strategy IBM #QRADAR
2 IBM Security Today’s security challenges COMPLIANCE HUMAN ERROR SKILLS GAP ADVANCED ATTACKS INNOVATION TIME
3 IBM Security Conquer the unknowns Manage Risks and Vulnerabilities Insider Threats Incident Response Secure the Cloud Critical Data Protection Advanced and Persistent Threats Compliance
4 IBM Security Sense Analytics© Threat Detection One Platform, Unified Visibility The Power to Act – at Scale • Smart analytics with search, rules, machine learning and cognitive capabilities to detect abnormal behaviors across users, entities, applications and data • Discover real time and low and slow threats, bringing hidden indicators of attack and risks to the surface • Find and prioritize weaknesses before they’re exploited • Collects billions of events on premises or in the cloud per day • Unifies threat monitoring, vulnerability and risk management, forensics and incident response • Open platform with IBM App Exchange delivering deep and automated integration with many IBM and third-party sources and security applications • Intelligent incident prioritization and comprehensive insights • Uses the power of threat intelligence and collaboration with IBM X-Force® and the IBM App Exchange • Enables fully integrated incident response with Resilient Incident Response • Powered by cognition to make users more effective IBM QRadar – The SOC Platform “Leveraging better integration, visibility, and intelligence from a platform approach to security monitoring and analytics reduces the time to identify, investigate, and remediate security-related incidents – which translates to a proportional reduction in business impact: twice fast, half the risk” The Business Value of A Security Monitoring and Analytics Platform – Aberdeen Group 2017
5 IBM Security Event Correlation and Log Management IBM QRadar Security Intelligence SIEM LAYER Incident Response Orchestration Cognitive Security Threat Intelligence Hunting User and Entity Behavior ABOVE THE SIEM New Security Operations Tools BELOW THE SIEM IBM QRadar – An integrated ‘Above SIEM’ solution for the SOC
Securing the enterprise
7 IBM Security Advanced Threat Detection : How can organizations… Address these concerns: • Identify threats in real time and escalate to identify the most critical ones to focus on • Detect long and slow attacks • Avoid alert fatigue and minimize the chance of missing alerts in the noise of event data • Identify threat actors, malware, campaigns and the attack vectors exploited in the face of skills and knowledge gaps and ever growing threat variety
8 IBM Security Advanced and persistent threats SINGLE, REAL-TIME ATTACK VIEW Intelligently gathers all attack related activities into a single pain of glass and updates in real time as attack unfolds minimizing noise BUSINESS DRIVEN PRIORITIZATION Automatically adjusts severity based on business impact, and evidence as attack progresses COGNITIVE ANALYSIS Accelerates alert triage and threat discovery with cognitive incident analysis COMPREHENSIVE INVESTIGATION Enables full forensics analysis of log, network PCAP, and Endpoint data from single screen Asset Database Vulnerability Data Network Behaviour Analytics Threat Intelligence Cognitive Analysis Event has been triggered against a high profile asset Asset is vulnerable to this specific attack Network analytics detects abnormal behaviour Outbound connection has connected to a known ‘bad’ site Watson reveals wider campaign, Malware other IOCs INCIDENT ALERT
9 IBM Security Insider Threats : How can organizations… Address these concerns: • Have credentials been stolen via phishing or malware account takeover • Are credentials being misused • Are there double earners and career jumpers stealing customer data and/or intellectual property • Are users performing activities that are putting themselves and the organization at increased risk
10 IBM Security Identify insider threats IDENTIFY AT RISK USERS Account takeover, disgruntled employees, malware actions STREAMLINED INCIDENT INVESTIGATIONS Immediate insights into risky user behaviors, action and activity history 360°ANALYSIS Performs analysis of activities at the end point, insights from network data, and cloud activities FAST TIME TO VALUE Deploys in minutes from the IBM App Exchange and leverages existing QRadar data sets immediately Behavioural and peer group analytics Network Threat Analytics Machine Learning Cloud Analytics Cognitive Analysis Unusual resource access Sensitive customer data copied Unusual amounts of data copied to file sharing/social media Abnormal salesforce Account access Watson reveals account compromised by spyware Risk Level
11 IBM Security Cloud Security : How can organizations… Address these concerns: • What cloud services are being used and who is using them • Identify malicious and suspicious activities in cloud services • Insider threats and stolen credentials being used to access cloud services • Copying of sensitive and customer data to unapproved cloud services
12 IBM Security Securing the cloud IDENTIFY CLOUD APPS BEING USED Analyses proxy logs, with threat intelligence from IBM X-Force, combined with asset and use data to determine who is using what, how much they are using, and how risky it is BUSINESS APPS VISIBILITY Native cloud usage collection enabling visibility into what is going on in my environment (O365, Salesforce, AWS, etc.) and if it is it malicious QUICKLY FIND THREATS IN THE CLOUD Immediately discovers malicious activities in the cloud using out of the box analytics and Apps from the App Exchange Entity behavioural Analytics X-Force Threat Intell Network Threat Analytics Machine Learning User Behaviour Analysis Discover cloud services What Risk do they pose Is customer, sensitive, potentially malicious data being transferred Office 365 access location abnormal User account has been compromised Risk Level
13 IBM Security Vulnerabilities and Risks : How can organizations… Address these concerns: • Where are my highest risks • What vulnerabilities do I have that are being actively attacked • Are my critical data and systems exposed • Use real-time vulnerability data to prioritize threats • Exposure to current high risk vulnerabilities and malware campaigns
14 IBM Security Risk and vulnerability management SINGLE VIEW OF VULNERABILITIES Single centralized view of all vulnerabilities with their status from multiple sources including endpoint, remote and internal vulnerability assessment technologies PRIORITIZE BY THREAT AND BUSINESS IMPACT Combines threat intelligence, vulnerability status, security telemetry data, and network communications to assess true vulnerability risk to exploitation from threats WHAT IS BEING EXPLOITED Reveals what vulnerabilities are being actively exploited within the organization, and in the wild by threat actors and malware that represent a significant risk and need to be addressed urgently INCREASED VISIBILITY Built in scanner for quickly configured scanner and event driven scanning lowering risk of new asset / device vulnerability Built-in and 3rd party support Network topology analysis X-Force Threat Intell Network topology analysis Threat Detection Correlation Discover vulnerabilities Understand Risk of exploitation from threats and malware campaigns Entities being accessed by untrusted and suspect sources Vulnerabilities being activity exploited in the infrastructure Risk Level Patches available but not applied
15 IBM Security Critical Data : How can organizations… Address these concerns: • What data do I have • Where is it • What is the nature of it, is it critical, PII or sensitive data • What systems and users can access it • Is it at risk to exploitation, exfiltration and compromise
16 IBM Security Critical data protection and GDPR FIND IT Automatically identifies servers, services, databases, apps, and devices through real-time behavioral profiling of log, flow and vulnerability data. WHO CAN ACCESS IT Collects infrastructure topology configuration determining who is allowed to access servers, services and apps WHERE DOES IT GO Utilizes network insights to track network communications, behavior and content to identify critical data movement and exfiltration IDENTIFY EXFILTRATION Analyses DLP, network insights, threat intelligence and user behaviors to highlight risky data transfer Behavioural Analytics and Profiling Vulnerability Scanning and Integration x-Force Threat Intell Network Threat Analytics Context Driven prioritization Discover File, Database And Applications Identify Vulnerability Risk Entities being accessed by potentially malicious sources Personal Identification and business data detected within network Security incident detected Severity automatically increased Risk Level
17 IBM Security Incident Response : How can organizations… Address these concerns: • Understand step by step what happened in a security incident and breach • Respond quickly and effectively to a security incidents • Maintain compliance with breach and security incident response requirements • Understand what threats the organization is experiencing and the effectiveness and cost of response and management • Be ready to respond to a breach or the next major zero day
18 IBM Security Orchestrated response ORCHESTRATED RESPONSE ALIGNING PEOPLE , PROCESS AND TECHNOLOGY Optimized, dynamic response plans with orchestration / automation functions and collaboration tools reduce skills dependencies and improve response times AUTOMATED, INTELLIGENT ENRICHMENT Identify affected assets. Gather related system information, forensic evidence, and threat intelligence to inform decisive action. REGULATORY INTELLIGENCE Ensure compliance with global privacy breach disclosure requirements DRIVE CONTINUOUS IMPROVEMENT Tabletop simulations test your people, process, and technology and provide training, too. Cognitive analytics Endpoint Integration Network Insights and PCAP Orchestration and Playbooks Built-in compliance intel End point activity visibility And Action Network data forensics gathering additional evidence Orchestrated response with best practice playbooks and automated response Co-ordinated response across Sec Ops, IT, Legal and Comms Response Speed Incident analysis and root cause
Ensuring customer success
20 IBM Security Agile, elastic, cloud-enabled platform IBM QRadar Security Intelligence Platform SAAS, Term or Perpetual • Available as SAAS from IBM Cloud • Cloud deployment in AWS, Azure and IBM Cloud • On premise and hybrid deployment as appliance, virtual or software node SCALABLE ELASTIC ARCHITECTURE • Easy-to-deploy, scalable model using clustered distributed nodes • Offers automatic failover and disaster recovery • Supports multi-tenanted deployment for MSSP and large enterprises
21 IBM Security Driving simplicity and accelerated time to value • Automatic discovery, interpretation and classification of security data sources • Immediate discovery of network assets, devices, users and applications • Out-of-the-box threat detection, intelligence and compliance reports • Automated updates of threats, vulnerabilities • 100+ certified apps to jump start security operations and integrations • Built in Resilient response plans and regulatory compliance mandates “These tools enable us to manage more than 2.2 million events daily and still keep our heads above water.” David Shipley, Director of Strategic Initiatives and IT University of New Brunswick “IBM QRadar is nearly three times faster to implement across the enterprise than other SIEM solutions.” 2014 Independent Research Study Ponemon Institute, LLC
22 IBM Security An assistant ready to help ENSURE QRADAR DEPLOYMENT IS FULLY OPTIMIZED AND EFFECTIVE Supports simple and easy deployment of apps, use cases and system optimization IDENTIFY NEW AND UPDATED USE CASES Analyses QRadar environment (e.g., data and apps) and recommends new and updated apps and content packs (use cases) CONFIGURATION CHANGES Analyses QRadar environment recommends configuration changes HELP CENTER Easily get help with use cases, support, tips, user groups, forums, open mics, services and much more
23 IBM Security Empower your team with a cognitive advisor APPLIED COGNITIVE SECURITY • Tap a vast amount of external security knowledge to investigate and qualify alerts from any source • Actionable insights derived from both local context and external threat intelligence • Precise and evidence driven analysis that can be reviewed and taught BENEFITS • Accelerates alert triage with more automation and analysis depth • Reduces risk of missing threats • Optimizes incident response processes with comprehensive threat information and data • Increases SOC Analyst learning and awareness of threat environment
24 IBM Security Vibrant ecosystem ensures success today and in the future COLLABORATE Share and action threat intel. Build and share new security intelligence use cases and apps INNOVATION New agile capabilities from customers, partners, IBM, Security research and other vendors VALIDATED CONTENT Tested, validated content minimizing risk, ensuring consistency and quality SPEED Jump start security operations with feature rich extensions and integrations DIFFERENTIATION Enables service provider and business partner value add and differentiation
25 IBM Security IBM Security Intelligence and Operations Services Assess, plan and develop your security maturity and operations Build next generation security operations • Deploy intelligence-driven security capabilities • Optimize your ability to react to and contain events, while reducing impact Assess and transform your security posture • Identify capability gaps, plan and deploy a robust strategy and roadmap to close them • Gain insight to prioritize security investments OPTIMIZED BASIC PROFICIENT PLAN DEPLOY OPTIMIZE BUILD DESIGN
26 IBM Security And local partners to assist Assess, plan and develop your security maturity and operations
27 IBM Security Advanced Threat Detection Insider Threat Securing the Cloud Risk and Vuln Management A security operations platform for todays and tomorrows needs Critical Data Protection Compliance Incident Response Fast to deploy, easy to manage, and focused on your success
28 IBM Security Learn more about IBM Security countries where IBM delivers managed security services industry analyst reports rank IBM Security as a LEADER fastest growing of the Top 5 security vendors clients protected including… 133 25 No. 1 12K+ 90% of the Fortune 100 companies Join IBM X-Force Exchange xforce.ibmcloud.com Visit our website ibm.com/security Watch our videos on YouTube IBM Security Channel Read new blog posts SecurityIntelligence.com Follow us on Twitter @ibmsecurity
ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU
IBM QRadar Evidence of Leadership and Success
31 IBM Security IBM QRadar security intelligence by the numbers 6K+ customers 100+ applications 10+ threat intelligence sources (STIX / TAXII, X-Force, Threatstream, Recorded Future, FireEye, RiskIQ, Threat Connect, Custom) 1,664 unique report (e.g., Compliance, Configuration and Change Management, Executive, Log Source, Network Management, Security, Usage Monitoring, Virtual Infrastructure, Vulnerability Management) 632 correlation rules / building blocks 500+ supported devices, systems, applications and cloud services 20 third-party vulnerability scanners (e.g., Qualys, Rapid7, Tenable, Tripwire, AppScan, …) 5 flow sources (NetFlow, J-Flow, sFlow, vFlow, and QFlow) 1.5M+ EPS implementations < 5 month average to fully implement
32 IBM Security ~67% replaced an average of 6 other security solutions with QRadar ~33% of the time to deploy than other SIEM vendors 70% did not need Lab Services to install QRadar 80% recognized value within a week 79% reduced time spent on investigations 80% reduced time to find threats and malicious activities with QRadar Independent QRadar Study by Ponemon Institute
34 IBM Security Some Key Messages From QRadar Customers 70 percent of respondents say it was not necessary to purchase any additional professional services to help with QRadar since the initial implementation. If they did, on average 2 days were purchased.
35 IBM Security Out of the Box Most companies see value in out-of-box correlation rules. 48 percent of respondents say it is very valuable and 39 percent say it is somewhat valuable. Only 2 percent say it is not very valuable. On average, 29 custom correlation values have been developed.
36 IBM Security Value of our correlation + behavior + contextual data Respondents see an average of 15.4 QRadar offenses on a daily basis. Sixty-four percent say they are able to investigate all the daily offenses generated.
37 IBM Security Adaptive integration with ecosystem partners Ready for IBM Security Intelligence IBM PartnerWorld 100+ ecosystem partners, 500+ QRadar integrations
38 IBM Security Analyst recognition IBM Security Intelligence  Leader in the Gartner Magic Quadrant since 2009 Security Information and Event Management (SIEM)  #1 in Forrester Security Analytics Wave  #1 in Cyber Security Analytics Platform Frost and Sullivan  “IBM Security has excelled in delivering a platform with extensive capabilities in cybersecurity analytics. It has been able to provide security solutions with notable wins across multiple verticals as well as innovation to bring extended capabilities, such as user behaviour analytics, into the fold. IBM has continuously expanded its capabilities in developing the cognitive security operations center (SOC) through rapid integration of QRadar with Watson, which helps customers achieve an automated and secure IT infrastructure.” Frost and Sullivan
39 IBM Security A large European banking company (ABLV) gained superior threat detection and a richer view of enterprise activities 1 million:1 Reduction in security events 99 percent Decreased investigation time with immediate detection and notification of anomalies Business challenge  Integrate data from disparate systems and application sources in order to better detect and respond to threats. IBM Security Intelligence and Sense Analytics solutions Gained superior threat detection and a richer view of enterprise activities, realizing a 1 million:1 reduction in security events, 99 percent decrease in investigation time, and immediate detection and notification of anomalies. Detect, analyze, and prioritize threats
40 IBM Security An international energy company reduces billions of events per day to find those that should be investigated An international energy firm analyzes 2 billion events per day to find 20-25 potential offenses to investigate Business challenge  Reducing huge number of events to find the ones that need to be investigated  Automating the process of analyzing security data IBM Security Solutions (QRadar SIEM, QFlow, Risk Manager) Combined analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic Optimize threat analysis
41 IBM Security A financial information provider hardens defenses against threats and fraud financial information provider tracks 250 activity baselines Business challenge  Detect wide range of security threats affecting public-facing Web applications  Help identify subtle changes in user behavior that could indicate fraud or misuse  Exceed ISO 27001 standard IBM Security Solutions (QRadar SIEM, QFlow, X-Force, Network IPS) Combine analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic and saved 50-80% on staffing versus alternative solutions Optimize risk management
42 IBM Security Cognitive Security User Behavior Analytics Easily and quickly deployed solution for Insider threats available from the App Exchange delivering insights and value in minutes Incident Response Build and execute an automated incident response plans App Exchange and EcoSystem Open collaborative app exchange and platform enabling easily deployable secure apps on QRadar fast tracking security operations rollout and delivering real agility QRadar on Cloud Flexible solution that can deploy as either a true SaaS offering or combine with hybrid cloud environments to improve visibility into cloud-based applications Network Forensics Incident forensics and packet captures CyberTap Client Needs Vulnerability and Risk Management Real-time vulnerability scanning and threat based prioritization Platform evolution based on client needs IBM QRadar: Continued innovation based on client needs 2013 2014 2015 2015 2016 2016 2017 Innovative cognitive solution to address SOC workload and skill shortages deployed quickly and easily from the App Exchange
43 IBM Security COGNITIVE, CLOUD, and COLLABORATION Interpret, learn and process shared security intelligence, that is designed by and for humans, at a speed and scale like never before INTELLIGENCE, INTEGRATION, and ORCHESTRATION Leverage analytics to collect and make sense of massive amounts of real-time data flow, prioritize events, and detect high-risk threats in real-time The next era of security PERIMETER CONTROLS Deploy static defenses to guard or limit the flow of data, including firewalls antivirus software and web gateways
QRadar Capabilities
45 IBM Security Next generation SOC functions THREAT INTELLIGENCE External data feeds on malicious entities THREAT HUNTING Searching cyber investigations SECURITY ANALYTICS Aggregation, automated detection, and use cases INCIDENT RESPONSE Orchestrated security response
46 IBM Security IBM QRadar component architecture IBM QRadar Security Intelligence IBM QRadar Data Node IBM QRadar Processor IBM QRadar Collector Deployed in the cloud IBM QRadar Network Insights IBM QRadar Scanner IBM QRadar Network Insights IBM QRadar Forensics IBM QRadar Packet Capture IBM QRadar Network Insights IBM QRadar App Node
47 IBM Security Prioritized incidents and user risk Incident identification • Extensive data collection, storage, and analysis • Real-time correlation, behavioural and threat intelligence • Automatic asset, service and user discovery and profiling • Activity baselining and anomaly detection • Easily deployed use cases from App Exchange Embedded Intelligence QRadar Sense Analytics Servers and mainframes Data activity Network and virtual activity Application activity Configuration information Security devices Users and identities Vulnerabilities and threats Global threat intelligence EXTENSIVE DATA SOURCES IBM Sense Analytics Advanced analytics for threat prevention, detection, and response
48 IBM Security Prioritized incidents Embedded Intelligence Extend clarity around incidents and risks with in-depth forensics data IDENTIFICATION • Data collection, storage, and analysis • Real-time correlation and threat intelligence • Automatic asset, service and user discovery and profiling • Activity baselining and anomaly detection REMEDIATION • Incident forensics • Around-the-clock management, monitoring and protection • Incident response EXTENSIVE DATA SOURCES
49 IBM Security IBM QRadar Intelligence and Analytics Platform Advanced Threat Detection Insider Threat Detection Risk & Vulnerability Management Critical Data Protection Incident Response Compliance Reporting Securing Cloud USE CASES ACTION ENGINE COLLECTION DEPLOYMENT MODELS Behavior-Based Analytics PRIORITIZED INCIDENTS Context-Based Analytics Time-Based Analytics QRadar Sense Analytics Third-Party Usage Automation Workflows Dashboards Visualizations ON PREM AS A SERVICE CLOUD HYBRID Business Systems Cloud Infrastructure Threat Intel Applications Capability and Threat Intelligence Collaboration Platforms App Exchange X-Force Exchange
50 IBM Security QRadar API Components IBM QRadar SDK for app development and sharing New open API for rapid innovation and creation Insider Threats Internet of Things Incident Response Cybersecurity Use Cases • Market, technology, business specific solutions • Service provider differentiation • Seamlessly integrated workflow • Economic and operational benefit • More flexibility and less complexity
51 IBM Security Examples CareSys Business Partner Carbon Black Technology Partner QRadar UBA SAP Security Monitoring
52 IBM Security IBM Security App Exchange VALIDATED CONTENT Tested, validated content minimizing risk, ensuring consistency and quality INNOVATION New agile capabilities from partners, IBM, Security research and other vendors DIFFERENTIATION Enables service provider and business partner value add and differentiation SPEED Jump start security operations with feature rich extensions and integrations A Platform for Security Intelligence Collaboration Single collaboration platform for rapidly delivering new apps and content for IBM Security solutions
53 IBM Security Extending QRadar to the Cloud FLEXIBLE A full suite of upgradeable security analytics offerings. Try buy (Q1 2017) COST EFFECTIVE Acquire and deploy quickly with no CapEx to purchase CHOICE Datacenters in Washington, Toronto, Dallas, Sau Paulo, Frankfurt, with more to come MULTI TENANT FOR MSSP Supports multi-tenanted for MSSP cost effectiveness PEACE OF MIND Trusted IBM security service professionals available to provide guidance and meet your security requirements • Cloud-based offering of the #1 Security Intelligence solution • Protects against threats and reduces compliance risk • Leverages real-time threat intelligence from X-Force • Collects data from both on-premise and cloud resources Threat Indicators Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Users and identities
54 IBM Security QRadar for Managed Security Service Providers MULTI-TENANT Enables secure, rapid and cost effective delivery of security intelligence services SAAS OPTION Technology quickly delivered globally from the IBM cloud as a service, with global datacenters SCALABLE Scales from smallest to largest customers with centralized management and eyes on glass AUTOMATED Drives simplicity and accelerates time-to-value for service providers Elastic architecture Shared modular infrastructure • New centralized views and incident management • Mixed single- and multi-tenanted deployment options • True horizontal, snap-on scalability capabilities • Extensive APIs and SDK for enterprise integration, extension and differentiation • System configuration template support • Cloud ready with support for 400+ out-of-the-box devices Sense Analytics Threat Detection One Platform, Unified Visibility The Power to Act – at Scale • Behavioral • Contextual • Temporal • Extensible • Scalable • Easily deployed • Prioritization • Collaboration of threat data • Automated response
55 IBM Security Traditional SIEM 7 products from 7 vendors IBM Security Intelligence and Analytics Flows Packets Vulnerabilities Configurations Logs Events Response IBM Security QRadar Security Intelligence Platform UBA Reduce costs, increase visibility with an integrated platform An integrated, unified architecture in a single web-based console
56 IBM Security Compliance – Comprehensive solutions
57 IBM Security Cyber threats rely on our networks to carry our their objectives • >99% of cyber attacks traverse the network in some way – Email/Web – Reconnaissance – Command and control – Data collection… • Only insider attacks collecting local system data and posting it to removable media do not – Source: Enterprise Management Associates (EMA) • Threat activity inherently leaves a trail of evidence across our networks – So the data needed to detect these threats is there if you look deep enough Most-common attack types1
58 IBM Security Bringing visibility to today’s cyber security challenges • Session reconstruction and application analysis • Extraction of key metadata and content • Full payload and application content analysis • Real-time analysis of network traffic • Intrinsic Suspect Content detection
59 IBM Security QRadar QNI – Completing the picture BASIC ENRICHED CONTENT • What is out there? • Who is talking to who? • What files and data are being exchanged? • Do they look malicious? • Do they contain any important or sensitive data? • Is this malicious application use? • Is this new threat on my network? • If so, it where is it and what did it do? Filling in the important gaps
60 IBM Security Addresses high-value threat detection and compliance use cases Malware Detection and Analysis Observe and analyze artifacts – names, properties, movement, suspect content Phishing Email and Campaign Detection Pre-empt and react to malicious emails by analyzing sources, targets, subject, and content Data Exfiltration Detection Identify and track files – DNS anomalies, sensitive content, aberrant connections, aliases Lateral Movement Attack Detection Trace anomalous communications - recon, data transfers, rogue/malicious actors Identify Compliance Gaps Continuous monitoring of enterprise, industry and regulatory policy compliance User Behavior Analytics Recognize high-risk users – targets for phishing, negative sentiment, suspicious behaviors Discover the network and services Discover servers, devices, endpoints, applications, services and create and inventory Improve threat detection accuracy with context Bring additional context to anomalous behaviors
61 IBM Security In 2012, 38% of targets were attacked again once the original incident was remediated. QRadar Incident Forensics – Responding quickly to incidents Attackers spend an estimated 243 days on a victim’s network before being discovered Has our organization been compromised? When was our security breached? How to avoid becoming a repeat victim? What resources and assets are at risk? What type of attack is it? How do we identify the attack?
62 IBM Security Our Security Intelligence platform delivers powerful capabilities IT Security Operations Teams Tells you exactly when an incident occurred Delivers intelligence to guide forensics investigations Merges powerful forensics capability with simplicity Next generation network forensics: know what happened, fast Introducing QRadar Incident Forensics Leveraging the strengths of QRadar to optimize the process of investigating and gathering evidence on advanced attacks and data breaches • Visually construct threat actor relationships • Builds detailed user and application profiles across multiple IDs • Full packet capture for complete session reconstruction • Unified view of all flow, user, event, and forensic information • Retrace activity in chronological order • Integrated with QRadar to discover true offenses and prioritize forensics investigations • Enables search-driven data exploration to return detailed, multi-level results in seconds
63 IBM Security Providing complete coverage and enhanced threat detection Network Tap QRadar QRadar Network Insights QRadar Incident Forensics QRadar Network Packet Capture Incident Detection & Qualification Root Cause Analysis QRadar Processors Endpoint Network Cloud Additional Context
64 IBM Security IBM QRadar Vulnerability Manager  First VA solution integrated with Security Intelligence  Dramatically improving actionable information through rich context  Reducing total cost of ownership through product consolidation  Providing unified view of all vulnerability information Log Manager SIEM Network Activity Monitor Forensics Vulnerability Manager Security Intelligence is extending and transforming Vulnerability Management – just as it did to Log Management Solution Highlights
65 IBM Security Not Active: By leveraging Network Insights, QVM can tell if the vulnerable application is active Patched: By leveraging BigFix, QVM understands what vulnerabilities will be patched Blocked: By leveraging network topology, QVM can understand what vulnerabilities are blocked by firewalls and IPSs and XGS Critical: By leveraging its vulnerability knowledge base, remediation flow and QRM policies, QVM can identify business critical vulnerabilities At Risk: By utilizing X-Force threat and SIEM security incident data, coupled with QFlow network traffic visibility, QVM can tell if vulnerable assets are communicating with potential threats Exploited: By leveraging SIEM correlation and XGS data, QVM can reveal what vulnerabilities have been exploited IBM QRadar Vulnerability Manager: How it works

More Related Content

PDF
IBM Qradar & resilient
byPrime Infoserv
 
PPTX
Take your SOC Beyond SIEM
byThomas Springer
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
PDF
A New Remedy for the Cyber Storm Approaching
bySPI Conference
 
PDF
Security Operations and Response
byxband
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 
IBM Qradar & resilient
byPrime Infoserv
 
Take your SOC Beyond SIEM
byThomas Springer
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
byCamilo Fandiño Gómez
 
A New Remedy for the Cyber Storm Approaching
bySPI Conference
 
Security Operations and Response
byxband
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byIBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
byFrancisco González Jiménez
 

Similar to QRadar Security Intelligence Overview.pptx

PDF
Introduction to QRadar
byPencilData
 
PPTX
IBM Security QRadar
byVirginia Fernandez
 
PDF
IBM Security Strategy Overview
byxband
 
PPTX
Detect and Respond to Threats Better with IBM Security App Exchange Partners
byIBM Security
 
PPTX
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
PPT
Avoiding data breach using security intelligence and big data to stay out of ...
byIBM Security
 
PPSX
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 
PPT
Ibm security overview 2012 jan-18 sellers deck
byArrow ECS UK
 
PPTX
IBM Security Portfolio - 2015
byIBM Thailand Co Ltd
 
PDF
Leverage Big Data for Security Intelligence
byStefaan Van daele
 
PDF
Tecnologie a supporto dei controlli di sicurezza fondamentali
byJürgen Ambrosi
 
PDF
Ibm security products portfolio
byPatrick Bouillaud
 
PDF
Information Risk and Protection
byxband
 
PPTX
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
PPTX
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
PDF
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
byIBM Security
 
PPTX
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
byIBM Security
 
PDF
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
PPTX
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
byIBM Security
 
PDF
[RakutenTechConf2013] [A-0] Security Meets Analytics
byRakuten Group, Inc.
 
Introduction to QRadar
byPencilData
 
IBM Security QRadar
byVirginia Fernandez
 
IBM Security Strategy Overview
byxband
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
byIBM Security
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
Avoiding data breach using security intelligence and big data to stay out of ...
byIBM Security
 
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 
Ibm security overview 2012 jan-18 sellers deck
byArrow ECS UK
 
IBM Security Portfolio - 2015
byIBM Thailand Co Ltd
 
Leverage Big Data for Security Intelligence
byStefaan Van daele
 
Tecnologie a supporto dei controlli di sicurezza fondamentali
byJürgen Ambrosi
 
Ibm security products portfolio
byPatrick Bouillaud
 
Information Risk and Protection
byxband
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
byIBM Security
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
byIBM Security
 
Big Data - Amplifying Security Intelligence
byIBM Danmark
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
byIBM Security
 
[RakutenTechConf2013] [A-0] Security Meets Analytics
byRakuten Group, Inc.
 

Recently uploaded

PPTX
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
PDF
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
PPTX
Social media app presentation snapgram.pptx
byrayessafa21
 
PDF
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
PDF
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
PPTX
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
PPTX
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
PPTX
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
byVisibility Drip
 
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
Social media app presentation snapgram.pptx
byrayessafa21
 
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
byVisibility Drip
 

QRadar Security Intelligence Overview.pptx

  • 1.
    CONQUER THE UNKNOWN SENSEIT AND ACT Chris Meenan December 27, 2023 Director QRadar Offering Management and Strategy IBM #QRADAR
  • 2.
    2 IBM Security Today’ssecurity challenges COMPLIANCE HUMAN ERROR SKILLS GAP ADVANCED ATTACKS INNOVATION TIME
  • 3.
    3 IBM Security Conquerthe unknowns Manage Risks and Vulnerabilities Insider Threats Incident Response Secure the Cloud Critical Data Protection Advanced and Persistent Threats Compliance
  • 4.
    4 IBM Security SenseAnalytics© Threat Detection One Platform, Unified Visibility The Power to Act – at Scale • Smart analytics with search, rules, machine learning and cognitive capabilities to detect abnormal behaviors across users, entities, applications and data • Discover real time and low and slow threats, bringing hidden indicators of attack and risks to the surface • Find and prioritize weaknesses before they’re exploited • Collects billions of events on premises or in the cloud per day • Unifies threat monitoring, vulnerability and risk management, forensics and incident response • Open platform with IBM App Exchange delivering deep and automated integration with many IBM and third-party sources and security applications • Intelligent incident prioritization and comprehensive insights • Uses the power of threat intelligence and collaboration with IBM X-Force® and the IBM App Exchange • Enables fully integrated incident response with Resilient Incident Response • Powered by cognition to make users more effective IBM QRadar – The SOC Platform “Leveraging better integration, visibility, and intelligence from a platform approach to security monitoring and analytics reduces the time to identify, investigate, and remediate security-related incidents – which translates to a proportional reduction in business impact: twice fast, half the risk” The Business Value of A Security Monitoring and Analytics Platform – Aberdeen Group 2017
  • 5.
    5 IBM Security EventCorrelation and Log Management IBM QRadar Security Intelligence SIEM LAYER Incident Response Orchestration Cognitive Security Threat Intelligence Hunting User and Entity Behavior ABOVE THE SIEM New Security Operations Tools BELOW THE SIEM IBM QRadar – An integrated ‘Above SIEM’ solution for the SOC
  • 6.
  • 7.
    7 IBM Security AdvancedThreat Detection : How can organizations… Address these concerns: • Identify threats in real time and escalate to identify the most critical ones to focus on • Detect long and slow attacks • Avoid alert fatigue and minimize the chance of missing alerts in the noise of event data • Identify threat actors, malware, campaigns and the attack vectors exploited in the face of skills and knowledge gaps and ever growing threat variety
  • 8.
    8 IBM Security Advancedand persistent threats SINGLE, REAL-TIME ATTACK VIEW Intelligently gathers all attack related activities into a single pain of glass and updates in real time as attack unfolds minimizing noise BUSINESS DRIVEN PRIORITIZATION Automatically adjusts severity based on business impact, and evidence as attack progresses COGNITIVE ANALYSIS Accelerates alert triage and threat discovery with cognitive incident analysis COMPREHENSIVE INVESTIGATION Enables full forensics analysis of log, network PCAP, and Endpoint data from single screen Asset Database Vulnerability Data Network Behaviour Analytics Threat Intelligence Cognitive Analysis Event has been triggered against a high profile asset Asset is vulnerable to this specific attack Network analytics detects abnormal behaviour Outbound connection has connected to a known ‘bad’ site Watson reveals wider campaign, Malware other IOCs INCIDENT ALERT
  • 9.
    9 IBM Security InsiderThreats : How can organizations… Address these concerns: • Have credentials been stolen via phishing or malware account takeover • Are credentials being misused • Are there double earners and career jumpers stealing customer data and/or intellectual property • Are users performing activities that are putting themselves and the organization at increased risk
  • 10.
    10 IBM Security Identifyinsider threats IDENTIFY AT RISK USERS Account takeover, disgruntled employees, malware actions STREAMLINED INCIDENT INVESTIGATIONS Immediate insights into risky user behaviors, action and activity history 360°ANALYSIS Performs analysis of activities at the end point, insights from network data, and cloud activities FAST TIME TO VALUE Deploys in minutes from the IBM App Exchange and leverages existing QRadar data sets immediately Behavioural and peer group analytics Network Threat Analytics Machine Learning Cloud Analytics Cognitive Analysis Unusual resource access Sensitive customer data copied Unusual amounts of data copied to file sharing/social media Abnormal salesforce Account access Watson reveals account compromised by spyware Risk Level
  • 11.
    11 IBM Security CloudSecurity : How can organizations… Address these concerns: • What cloud services are being used and who is using them • Identify malicious and suspicious activities in cloud services • Insider threats and stolen credentials being used to access cloud services • Copying of sensitive and customer data to unapproved cloud services
  • 12.
    12 IBM Security Securingthe cloud IDENTIFY CLOUD APPS BEING USED Analyses proxy logs, with threat intelligence from IBM X-Force, combined with asset and use data to determine who is using what, how much they are using, and how risky it is BUSINESS APPS VISIBILITY Native cloud usage collection enabling visibility into what is going on in my environment (O365, Salesforce, AWS, etc.) and if it is it malicious QUICKLY FIND THREATS IN THE CLOUD Immediately discovers malicious activities in the cloud using out of the box analytics and Apps from the App Exchange Entity behavioural Analytics X-Force Threat Intell Network Threat Analytics Machine Learning User Behaviour Analysis Discover cloud services What Risk do they pose Is customer, sensitive, potentially malicious data being transferred Office 365 access location abnormal User account has been compromised Risk Level
  • 13.
    13 IBM Security Vulnerabilitiesand Risks : How can organizations… Address these concerns: • Where are my highest risks • What vulnerabilities do I have that are being actively attacked • Are my critical data and systems exposed • Use real-time vulnerability data to prioritize threats • Exposure to current high risk vulnerabilities and malware campaigns
  • 14.
    14 IBM Security Riskand vulnerability management SINGLE VIEW OF VULNERABILITIES Single centralized view of all vulnerabilities with their status from multiple sources including endpoint, remote and internal vulnerability assessment technologies PRIORITIZE BY THREAT AND BUSINESS IMPACT Combines threat intelligence, vulnerability status, security telemetry data, and network communications to assess true vulnerability risk to exploitation from threats WHAT IS BEING EXPLOITED Reveals what vulnerabilities are being actively exploited within the organization, and in the wild by threat actors and malware that represent a significant risk and need to be addressed urgently INCREASED VISIBILITY Built in scanner for quickly configured scanner and event driven scanning lowering risk of new asset / device vulnerability Built-in and 3rd party support Network topology analysis X-Force Threat Intell Network topology analysis Threat Detection Correlation Discover vulnerabilities Understand Risk of exploitation from threats and malware campaigns Entities being accessed by untrusted and suspect sources Vulnerabilities being activity exploited in the infrastructure Risk Level Patches available but not applied
  • 15.
    15 IBM Security CriticalData : How can organizations… Address these concerns: • What data do I have • Where is it • What is the nature of it, is it critical, PII or sensitive data • What systems and users can access it • Is it at risk to exploitation, exfiltration and compromise
  • 16.
    16 IBM Security Criticaldata protection and GDPR FIND IT Automatically identifies servers, services, databases, apps, and devices through real-time behavioral profiling of log, flow and vulnerability data. WHO CAN ACCESS IT Collects infrastructure topology configuration determining who is allowed to access servers, services and apps WHERE DOES IT GO Utilizes network insights to track network communications, behavior and content to identify critical data movement and exfiltration IDENTIFY EXFILTRATION Analyses DLP, network insights, threat intelligence and user behaviors to highlight risky data transfer Behavioural Analytics and Profiling Vulnerability Scanning and Integration x-Force Threat Intell Network Threat Analytics Context Driven prioritization Discover File, Database And Applications Identify Vulnerability Risk Entities being accessed by potentially malicious sources Personal Identification and business data detected within network Security incident detected Severity automatically increased Risk Level
  • 17.
    17 IBM Security IncidentResponse : How can organizations… Address these concerns: • Understand step by step what happened in a security incident and breach • Respond quickly and effectively to a security incidents • Maintain compliance with breach and security incident response requirements • Understand what threats the organization is experiencing and the effectiveness and cost of response and management • Be ready to respond to a breach or the next major zero day
  • 18.
    18 IBM Security Orchestratedresponse ORCHESTRATED RESPONSE ALIGNING PEOPLE , PROCESS AND TECHNOLOGY Optimized, dynamic response plans with orchestration / automation functions and collaboration tools reduce skills dependencies and improve response times AUTOMATED, INTELLIGENT ENRICHMENT Identify affected assets. Gather related system information, forensic evidence, and threat intelligence to inform decisive action. REGULATORY INTELLIGENCE Ensure compliance with global privacy breach disclosure requirements DRIVE CONTINUOUS IMPROVEMENT Tabletop simulations test your people, process, and technology and provide training, too. Cognitive analytics Endpoint Integration Network Insights and PCAP Orchestration and Playbooks Built-in compliance intel End point activity visibility And Action Network data forensics gathering additional evidence Orchestrated response with best practice playbooks and automated response Co-ordinated response across Sec Ops, IT, Legal and Comms Response Speed Incident analysis and root cause
  • 19.
  • 20.
    20 IBM Security Agile,elastic, cloud-enabled platform IBM QRadar Security Intelligence Platform SAAS, Term or Perpetual • Available as SAAS from IBM Cloud • Cloud deployment in AWS, Azure and IBM Cloud • On premise and hybrid deployment as appliance, virtual or software node SCALABLE ELASTIC ARCHITECTURE • Easy-to-deploy, scalable model using clustered distributed nodes • Offers automatic failover and disaster recovery • Supports multi-tenanted deployment for MSSP and large enterprises
  • 21.
    21 IBM Security Drivingsimplicity and accelerated time to value • Automatic discovery, interpretation and classification of security data sources • Immediate discovery of network assets, devices, users and applications • Out-of-the-box threat detection, intelligence and compliance reports • Automated updates of threats, vulnerabilities • 100+ certified apps to jump start security operations and integrations • Built in Resilient response plans and regulatory compliance mandates “These tools enable us to manage more than 2.2 million events daily and still keep our heads above water.” David Shipley, Director of Strategic Initiatives and IT University of New Brunswick “IBM QRadar is nearly three times faster to implement across the enterprise than other SIEM solutions.” 2014 Independent Research Study Ponemon Institute, LLC
  • 22.
    22 IBM Security Anassistant ready to help ENSURE QRADAR DEPLOYMENT IS FULLY OPTIMIZED AND EFFECTIVE Supports simple and easy deployment of apps, use cases and system optimization IDENTIFY NEW AND UPDATED USE CASES Analyses QRadar environment (e.g., data and apps) and recommends new and updated apps and content packs (use cases) CONFIGURATION CHANGES Analyses QRadar environment recommends configuration changes HELP CENTER Easily get help with use cases, support, tips, user groups, forums, open mics, services and much more
  • 23.
    23 IBM Security Empoweryour team with a cognitive advisor APPLIED COGNITIVE SECURITY • Tap a vast amount of external security knowledge to investigate and qualify alerts from any source • Actionable insights derived from both local context and external threat intelligence • Precise and evidence driven analysis that can be reviewed and taught BENEFITS • Accelerates alert triage with more automation and analysis depth • Reduces risk of missing threats • Optimizes incident response processes with comprehensive threat information and data • Increases SOC Analyst learning and awareness of threat environment
  • 24.
    24 IBM Security Vibrantecosystem ensures success today and in the future COLLABORATE Share and action threat intel. Build and share new security intelligence use cases and apps INNOVATION New agile capabilities from customers, partners, IBM, Security research and other vendors VALIDATED CONTENT Tested, validated content minimizing risk, ensuring consistency and quality SPEED Jump start security operations with feature rich extensions and integrations DIFFERENTIATION Enables service provider and business partner value add and differentiation
  • 25.
    25 IBM Security IBMSecurity Intelligence and Operations Services Assess, plan and develop your security maturity and operations Build next generation security operations • Deploy intelligence-driven security capabilities • Optimize your ability to react to and contain events, while reducing impact Assess and transform your security posture • Identify capability gaps, plan and deploy a robust strategy and roadmap to close them • Gain insight to prioritize security investments OPTIMIZED BASIC PROFICIENT PLAN DEPLOY OPTIMIZE BUILD DESIGN
  • 26.
    26 IBM Security Andlocal partners to assist Assess, plan and develop your security maturity and operations
  • 27.
    27 IBM Security AdvancedThreat Detection Insider Threat Securing the Cloud Risk and Vuln Management A security operations platform for todays and tomorrows needs Critical Data Protection Compliance Incident Response Fast to deploy, easy to manage, and focused on your success
  • 28.
    28 IBM Security Learnmore about IBM Security countries where IBM delivers managed security services industry analyst reports rank IBM Security as a LEADER fastest growing of the Top 5 security vendors clients protected including… 133 25 No. 1 12K+ 90% of the Fortune 100 companies Join IBM X-Force Exchange xforce.ibmcloud.com Visit our website ibm.com/security Watch our videos on YouTube IBM Security Channel Read new blog posts SecurityIntelligence.com Follow us on Twitter @ibmsecurity
  • 29.
    ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBMCorporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU
  • 30.
    IBM QRadar Evidenceof Leadership and Success
  • 31.
    31 IBM Security IBMQRadar security intelligence by the numbers 6K+ customers 100+ applications 10+ threat intelligence sources (STIX / TAXII, X-Force, Threatstream, Recorded Future, FireEye, RiskIQ, Threat Connect, Custom) 1,664 unique report (e.g., Compliance, Configuration and Change Management, Executive, Log Source, Network Management, Security, Usage Monitoring, Virtual Infrastructure, Vulnerability Management) 632 correlation rules / building blocks 500+ supported devices, systems, applications and cloud services 20 third-party vulnerability scanners (e.g., Qualys, Rapid7, Tenable, Tripwire, AppScan, …) 5 flow sources (NetFlow, J-Flow, sFlow, vFlow, and QFlow) 1.5M+ EPS implementations < 5 month average to fully implement
  • 32.
    32 IBM Security ~67%replaced an average of 6 other security solutions with QRadar ~33% of the time to deploy than other SIEM vendors 70% did not need Lab Services to install QRadar 80% recognized value within a week 79% reduced time spent on investigations 80% reduced time to find threats and malicious activities with QRadar Independent QRadar Study by Ponemon Institute
  • 33.
    34 IBM Security SomeKey Messages From QRadar Customers 70 percent of respondents say it was not necessary to purchase any additional professional services to help with QRadar since the initial implementation. If they did, on average 2 days were purchased.
  • 34.
    35 IBM Security Outof the Box Most companies see value in out-of-box correlation rules. 48 percent of respondents say it is very valuable and 39 percent say it is somewhat valuable. Only 2 percent say it is not very valuable. On average, 29 custom correlation values have been developed.
  • 35.
    36 IBM Security Valueof our correlation + behavior + contextual data Respondents see an average of 15.4 QRadar offenses on a daily basis. Sixty-four percent say they are able to investigate all the daily offenses generated.
  • 36.
    37 IBM Security Adaptiveintegration with ecosystem partners Ready for IBM Security Intelligence IBM PartnerWorld 100+ ecosystem partners, 500+ QRadar integrations
  • 37.
    38 IBM Security Analystrecognition IBM Security Intelligence  Leader in the Gartner Magic Quadrant since 2009 Security Information and Event Management (SIEM)  #1 in Forrester Security Analytics Wave  #1 in Cyber Security Analytics Platform Frost and Sullivan  “IBM Security has excelled in delivering a platform with extensive capabilities in cybersecurity analytics. It has been able to provide security solutions with notable wins across multiple verticals as well as innovation to bring extended capabilities, such as user behaviour analytics, into the fold. IBM has continuously expanded its capabilities in developing the cognitive security operations center (SOC) through rapid integration of QRadar with Watson, which helps customers achieve an automated and secure IT infrastructure.” Frost and Sullivan
  • 38.
    39 IBM Security Alarge European banking company (ABLV) gained superior threat detection and a richer view of enterprise activities 1 million:1 Reduction in security events 99 percent Decreased investigation time with immediate detection and notification of anomalies Business challenge  Integrate data from disparate systems and application sources in order to better detect and respond to threats. IBM Security Intelligence and Sense Analytics solutions Gained superior threat detection and a richer view of enterprise activities, realizing a 1 million:1 reduction in security events, 99 percent decrease in investigation time, and immediate detection and notification of anomalies. Detect, analyze, and prioritize threats
  • 39.
    40 IBM Security Aninternational energy company reduces billions of events per day to find those that should be investigated An international energy firm analyzes 2 billion events per day to find 20-25 potential offenses to investigate Business challenge  Reducing huge number of events to find the ones that need to be investigated  Automating the process of analyzing security data IBM Security Solutions (QRadar SIEM, QFlow, Risk Manager) Combined analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic Optimize threat analysis
  • 40.
    41 IBM Security Afinancial information provider hardens defenses against threats and fraud financial information provider tracks 250 activity baselines Business challenge  Detect wide range of security threats affecting public-facing Web applications  Help identify subtle changes in user behavior that could indicate fraud or misuse  Exceed ISO 27001 standard IBM Security Solutions (QRadar SIEM, QFlow, X-Force, Network IPS) Combine analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic and saved 50-80% on staffing versus alternative solutions Optimize risk management
  • 41.
    42 IBM Security Cognitive Security UserBehavior Analytics Easily and quickly deployed solution for Insider threats available from the App Exchange delivering insights and value in minutes Incident Response Build and execute an automated incident response plans App Exchange and EcoSystem Open collaborative app exchange and platform enabling easily deployable secure apps on QRadar fast tracking security operations rollout and delivering real agility QRadar on Cloud Flexible solution that can deploy as either a true SaaS offering or combine with hybrid cloud environments to improve visibility into cloud-based applications Network Forensics Incident forensics and packet captures CyberTap Client Needs Vulnerability and Risk Management Real-time vulnerability scanning and threat based prioritization Platform evolution based on client needs IBM QRadar: Continued innovation based on client needs 2013 2014 2015 2015 2016 2016 2017 Innovative cognitive solution to address SOC workload and skill shortages deployed quickly and easily from the App Exchange
  • 42.
    43 IBM Security COGNITIVE,CLOUD, and COLLABORATION Interpret, learn and process shared security intelligence, that is designed by and for humans, at a speed and scale like never before INTELLIGENCE, INTEGRATION, and ORCHESTRATION Leverage analytics to collect and make sense of massive amounts of real-time data flow, prioritize events, and detect high-risk threats in real-time The next era of security PERIMETER CONTROLS Deploy static defenses to guard or limit the flow of data, including firewalls antivirus software and web gateways
  • 43.
  • 44.
    45 IBM Security Nextgeneration SOC functions THREAT INTELLIGENCE External data feeds on malicious entities THREAT HUNTING Searching cyber investigations SECURITY ANALYTICS Aggregation, automated detection, and use cases INCIDENT RESPONSE Orchestrated security response
  • 45.
    46 IBM Security IBMQRadar component architecture IBM QRadar Security Intelligence IBM QRadar Data Node IBM QRadar Processor IBM QRadar Collector Deployed in the cloud IBM QRadar Network Insights IBM QRadar Scanner IBM QRadar Network Insights IBM QRadar Forensics IBM QRadar Packet Capture IBM QRadar Network Insights IBM QRadar App Node
  • 46.
    47 IBM Security Prioritizedincidents and user risk Incident identification • Extensive data collection, storage, and analysis • Real-time correlation, behavioural and threat intelligence • Automatic asset, service and user discovery and profiling • Activity baselining and anomaly detection • Easily deployed use cases from App Exchange Embedded Intelligence QRadar Sense Analytics Servers and mainframes Data activity Network and virtual activity Application activity Configuration information Security devices Users and identities Vulnerabilities and threats Global threat intelligence EXTENSIVE DATA SOURCES IBM Sense Analytics Advanced analytics for threat prevention, detection, and response
  • 47.
    48 IBM Security Prioritized incidents Embedded Intelligence Extendclarity around incidents and risks with in-depth forensics data IDENTIFICATION • Data collection, storage, and analysis • Real-time correlation and threat intelligence • Automatic asset, service and user discovery and profiling • Activity baselining and anomaly detection REMEDIATION • Incident forensics • Around-the-clock management, monitoring and protection • Incident response EXTENSIVE DATA SOURCES
  • 48.
    49 IBM Security IBMQRadar Intelligence and Analytics Platform Advanced Threat Detection Insider Threat Detection Risk & Vulnerability Management Critical Data Protection Incident Response Compliance Reporting Securing Cloud USE CASES ACTION ENGINE COLLECTION DEPLOYMENT MODELS Behavior-Based Analytics PRIORITIZED INCIDENTS Context-Based Analytics Time-Based Analytics QRadar Sense Analytics Third-Party Usage Automation Workflows Dashboards Visualizations ON PREM AS A SERVICE CLOUD HYBRID Business Systems Cloud Infrastructure Threat Intel Applications Capability and Threat Intelligence Collaboration Platforms App Exchange X-Force Exchange
  • 49.
    50 IBM Security QRadarAPI Components IBM QRadar SDK for app development and sharing New open API for rapid innovation and creation Insider Threats Internet of Things Incident Response Cybersecurity Use Cases • Market, technology, business specific solutions • Service provider differentiation • Seamlessly integrated workflow • Economic and operational benefit • More flexibility and less complexity
  • 50.
    51 IBM Security Examples CareSysBusiness Partner Carbon Black Technology Partner QRadar UBA SAP Security Monitoring
  • 51.
    52 IBM Security IBMSecurity App Exchange VALIDATED CONTENT Tested, validated content minimizing risk, ensuring consistency and quality INNOVATION New agile capabilities from partners, IBM, Security research and other vendors DIFFERENTIATION Enables service provider and business partner value add and differentiation SPEED Jump start security operations with feature rich extensions and integrations A Platform for Security Intelligence Collaboration Single collaboration platform for rapidly delivering new apps and content for IBM Security solutions
  • 52.
    53 IBM Security ExtendingQRadar to the Cloud FLEXIBLE A full suite of upgradeable security analytics offerings. Try buy (Q1 2017) COST EFFECTIVE Acquire and deploy quickly with no CapEx to purchase CHOICE Datacenters in Washington, Toronto, Dallas, Sau Paulo, Frankfurt, with more to come MULTI TENANT FOR MSSP Supports multi-tenanted for MSSP cost effectiveness PEACE OF MIND Trusted IBM security service professionals available to provide guidance and meet your security requirements • Cloud-based offering of the #1 Security Intelligence solution • Protects against threats and reduces compliance risk • Leverages real-time threat intelligence from X-Force • Collects data from both on-premise and cloud resources Threat Indicators Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Users and identities
  • 53.
    54 IBM Security QRadarfor Managed Security Service Providers MULTI-TENANT Enables secure, rapid and cost effective delivery of security intelligence services SAAS OPTION Technology quickly delivered globally from the IBM cloud as a service, with global datacenters SCALABLE Scales from smallest to largest customers with centralized management and eyes on glass AUTOMATED Drives simplicity and accelerates time-to-value for service providers Elastic architecture Shared modular infrastructure • New centralized views and incident management • Mixed single- and multi-tenanted deployment options • True horizontal, snap-on scalability capabilities • Extensive APIs and SDK for enterprise integration, extension and differentiation • System configuration template support • Cloud ready with support for 400+ out-of-the-box devices Sense Analytics Threat Detection One Platform, Unified Visibility The Power to Act – at Scale • Behavioral • Contextual • Temporal • Extensible • Scalable • Easily deployed • Prioritization • Collaboration of threat data • Automated response
  • 54.
    55 IBM Security TraditionalSIEM 7 products from 7 vendors IBM Security Intelligence and Analytics Flows Packets Vulnerabilities Configurations Logs Events Response IBM Security QRadar Security Intelligence Platform UBA Reduce costs, increase visibility with an integrated platform An integrated, unified architecture in a single web-based console
  • 55.
    56 IBM Security Compliance– Comprehensive solutions
  • 56.
    57 IBM Security Cyberthreats rely on our networks to carry our their objectives • >99% of cyber attacks traverse the network in some way – Email/Web – Reconnaissance – Command and control – Data collection… • Only insider attacks collecting local system data and posting it to removable media do not – Source: Enterprise Management Associates (EMA) • Threat activity inherently leaves a trail of evidence across our networks – So the data needed to detect these threats is there if you look deep enough Most-common attack types1
  • 57.
    58 IBM Security Bringingvisibility to today’s cyber security challenges • Session reconstruction and application analysis • Extraction of key metadata and content • Full payload and application content analysis • Real-time analysis of network traffic • Intrinsic Suspect Content detection
  • 58.
    59 IBM Security QRadarQNI – Completing the picture BASIC ENRICHED CONTENT • What is out there? • Who is talking to who? • What files and data are being exchanged? • Do they look malicious? • Do they contain any important or sensitive data? • Is this malicious application use? • Is this new threat on my network? • If so, it where is it and what did it do? Filling in the important gaps
  • 59.
    60 IBM Security Addresseshigh-value threat detection and compliance use cases Malware Detection and Analysis Observe and analyze artifacts – names, properties, movement, suspect content Phishing Email and Campaign Detection Pre-empt and react to malicious emails by analyzing sources, targets, subject, and content Data Exfiltration Detection Identify and track files – DNS anomalies, sensitive content, aberrant connections, aliases Lateral Movement Attack Detection Trace anomalous communications - recon, data transfers, rogue/malicious actors Identify Compliance Gaps Continuous monitoring of enterprise, industry and regulatory policy compliance User Behavior Analytics Recognize high-risk users – targets for phishing, negative sentiment, suspicious behaviors Discover the network and services Discover servers, devices, endpoints, applications, services and create and inventory Improve threat detection accuracy with context Bring additional context to anomalous behaviors
  • 60.
    61 IBM Security In2012, 38% of targets were attacked again once the original incident was remediated. QRadar Incident Forensics – Responding quickly to incidents Attackers spend an estimated 243 days on a victim’s network before being discovered Has our organization been compromised? When was our security breached? How to avoid becoming a repeat victim? What resources and assets are at risk? What type of attack is it? How do we identify the attack?
  • 61.
    62 IBM Security OurSecurity Intelligence platform delivers powerful capabilities IT Security Operations Teams Tells you exactly when an incident occurred Delivers intelligence to guide forensics investigations Merges powerful forensics capability with simplicity Next generation network forensics: know what happened, fast Introducing QRadar Incident Forensics Leveraging the strengths of QRadar to optimize the process of investigating and gathering evidence on advanced attacks and data breaches • Visually construct threat actor relationships • Builds detailed user and application profiles across multiple IDs • Full packet capture for complete session reconstruction • Unified view of all flow, user, event, and forensic information • Retrace activity in chronological order • Integrated with QRadar to discover true offenses and prioritize forensics investigations • Enables search-driven data exploration to return detailed, multi-level results in seconds
  • 62.
    63 IBM Security Providingcomplete coverage and enhanced threat detection Network Tap QRadar QRadar Network Insights QRadar Incident Forensics QRadar Network Packet Capture Incident Detection & Qualification Root Cause Analysis QRadar Processors Endpoint Network Cloud Additional Context
  • 63.
    64 IBM Security IBMQRadar Vulnerability Manager  First VA solution integrated with Security Intelligence  Dramatically improving actionable information through rich context  Reducing total cost of ownership through product consolidation  Providing unified view of all vulnerability information Log Manager SIEM Network Activity Monitor Forensics Vulnerability Manager Security Intelligence is extending and transforming Vulnerability Management – just as it did to Log Management Solution Highlights
  • 64.
    65 IBM Security NotActive: By leveraging Network Insights, QVM can tell if the vulnerable application is active Patched: By leveraging BigFix, QVM understands what vulnerabilities will be patched Blocked: By leveraging network topology, QVM can understand what vulnerabilities are blocked by firewalls and IPSs and XGS Critical: By leveraging its vulnerability knowledge base, remediation flow and QRM policies, QVM can identify business critical vulnerabilities At Risk: By utilizing X-Force threat and SIEM security incident data, coupled with QFlow network traffic visibility, QVM can tell if vulnerable assets are communicating with potential threats Exploited: By leveraging SIEM correlation and XGS data, QVM can reveal what vulnerabilities have been exploited IBM QRadar Vulnerability Manager: How it works