Il fenomeno degli attacchi informatici continua ad aumentare utilizzando molteplici vettori di infezione e tecniche di attacco estremamente sofisticate ed evasive. I vecchi metodi basati solo sull’analisi dei log non sono più sufficienti per rilevare gli attacchi. Nel seminario vedremo come la piattaforma IBM di Security Intelligence ( Qradar ) è possibile identificare proattivamente anomalie, attacchi e violazioni e come l’adozione di tecnologie Cognitive renda più semplice effettuare l’analisi in modo ricco ed esaustivo.

1. IBM QRADAR
Alessandra Pecorari
October 16, 2017
Technical Sales - Mobility & Endpoint Management Solutions
LE SOLUZIONI COGNITIVE E DI SECURITY
INTELLIGENCE DI IBM PER RILEVARE ATTACCHI
INFORMATICI
Giulia Caliari
Security Architect

2. 2 IBM Security
Objectives: Information Security & Data Protection
Protect public and private
organizations in running their
business
Protect indiviuals (privacy and
security)
Protect the physical and
economic security of the
nation(s)
Security of services & critical information Protection of personal data

3. 3 IBM Security
The Italian landscape (major initiatives)
• Dicembre 2013 - Quadro strategico nazionale per la sicurezza dello spazio cibernetico
• Dicembre 2013 - Piano nazionale per la protezione cibernetica e la sicurezza informatica
• Febbraio 2016 - Italy’s National Framework for Cybersecurity
• Marzo 2017 - Controlli Essenziali di Cybersecurity
• Aprile 2016 – AGID: Misure Minime di Sicurezza ICT per le Pubbliche Amministrazioni
• Luglio 2016 - EU Network and Information Security Directive
• .......• DL196 del 2003 - CODICE IN MATERIA DI
PROTEZIONE DEI DATI PERSONALI
• DIRETTIVA 95/46/CE - Tutela delle persone fisiche
con riguardo al trattamento dei dati personali,
nonché alla libera circolazione di tali dati
• DECISIONE QUADRO 2008/977/GAI - Protezione
dei dati personali trattati nell’ambito della
cooperazione giudiziaria e di polizia in materia
penale
• REGOLAMENTO (UE) 2016/679 relativo alla protezione
delle persone fisiche con riguardo al trattamento dei
dati personali, nonché alla libera circolazione di tali
dati (GDPR)
• DIRETTIVA (UE) 2016/680 relativa alla protezione delle
persone fisiche con riguardo al trattamento dei dati
personali da parte delle autorità competenti a fini di
prevenzione, indagine, accertamento e perseguimento
di reati o esecuzione di sanzioni penali, nonché alla
libera circolazione di tali dati
CybersecurityPrivacy

4. 4 IBM Security
SANS Security Controls & Misure Minime AGID
1. Inventory of Authorized and Unauthorized
Devices
2. Inventory of Authorized and Unauthorized
Software
3. Secure Configuration of End-User Devices
4. Continuous Vulnerability Assessment &
Remediation
5. Controlled Use of Administrative Privileges
6. Maintenance, Monitoring, and Analysis of
Audit Logs
7. Email and Web Browser Protections
8. Malware Defense
9. Limitation & Control of Network Ports,
Protocols, and Service
10. Data Recovery Capability
11. Secure Configuration of Network Devices
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on Need to
Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Security Skills Assessment and
Appropriate Training
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team
Exercises
https://www.sans.org/critical-security-controls
https://www.cisecurity.org/controls/

5. 5 IBM Security
1 Inventory of auth. and
unauth. device
2 Inventory of auth. and
unauth. software
3 Secure Configurations of
end-user devices (and
servers)
4 Continuous Vulnerability
Assessment and Remediation
8 Malware defence
8 Malware defence
7 Email and Web Browser
Protections
9 Limitation and Control of Network
Ports, Protocols, and Services
12 Boundary Defense
17 Security Skills Assessment
and Appropriate Training to Fill
Gaps
1 Inventory of auth. and
unauth. device
4 Continuous vulnerability
assessment & remediation
8 Malware defence
6 Maintenance, Monitoring,
and Analysis of Audit Logs
9 (Limitation and) Control of
Network Ports, Protocols, and
Service
11 Secure Configuration of
Network Devices
• 19 Incident Response
and Management
5 Controlled Use of
Administrative Privileges
14 Controlled Access based on
the need to know
16 Account Monitoring and
Control
1 Inventory of auth. and unauth.
device
2 Inventory of auth. and unauth.
software
3 Secure configurations of end-
user devices
4 Continuous vulnerability
assessment & remediation
8 Malware defence
4 Continuous vulnerability
assessment & remediation
13 Data Protection
18 Application Security 20 Penetration Tests &
Red Team Exercise
IBM Security Immune System to address Critical Security Controls

6. 6 IBM Security
SANS Security Controls & Misure Minime AGID
1. Inventory of Authorized and
Unauthorized Devices
2. Inventory of Authorized and
Unauthorized Software
3. Secure Configuration of End-User Devices
4. Continuous Vulnerability Assessment &
Remediation
5. Controlled Use of Administrative
Privileges
6. Maintenance, Monitoring, and Analysis of
Audit Logs
7. Email and Web Browser Protections
8. Malware Defense
9. Limitation & Control of Network Ports,
Protocols, and Service
10. Data Recovery Capability
11. Secure Configuration of Network Devices
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on Need to
Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Security Skills Assessment and
Appropriate Training
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team
Exercises
https://www.sans.org/critical-security-controls
https://www.cisecurity.org/controls/
• Automated discovery based on «passive» tools
• DHCP logging to improve asset
• Automated vulnerability scanning tools
• Correlate event logs with information from
vulnerability scans
• Subscribe to vulnerability intelligence services
• Establish a process to risk-rate vulnerabilities
based on the exploitability and potential impact
• Deploy a SIEM …tools for log aggregation and
consolidation …and for log correlation and
analysis.
• Use network-based anti-malware tools to identi
• Ensure that only ports, protocols, and services
with validated business needs are running on
each system.
• Compare firewall, router, and switch
configuration against standard secure
configurations
• Use automated tools to verify standard device
configurations and detect changes.
• automated tool on network perimeters that
monitors for sensitive information (..), keywords,
…to discover unauthorized attempts to exfiltrate
• Monitor all traffic leaving the organization and
detect any unauthorized use of encryption
• Monitor account usage to determine dormant
accounts,
• Monitor attempts to access deactivated
accounts through audit logging.
• Profile each user’s typical account usage

7. 7 IBM Security
Sicurezza dei dati personali Art.. 5, 24, da 32 a 34
• ... un'adeguata sicurezza dei dati personali, compresa
la protezione... da trattamenti non autorizzati o illeciti e
dalla perdita, dalla distruzione o dal danno accidentali
(«integrità e riservatezza»).
• .. misure tecniche e organizzative ... per garantire un
livello di sicurezza adeguato al rischio, ...
• la pseudonimizzazione e la cifratura;
• la capacità di assicuraresu base permanente la
riservatezza, l'integrità, la disponibilità e la
resilienza..
• la capacità di ripristinare tempestivamente ....
• verificare e valutare regolarmente l'efficacia
delle misure..
• .. si tiene conto in special modo dei rischi .. dalla
distruzione, dalla perdita, dalla modifica, dalla
divulgazione non autorizzata o dall'accesso, in modo
accidentale o illegale, a dati personali
• Notifica di violazione all’autorità di controllo (Art 33)
• Notifica di violazione agli interessati (Art 34)
Responsabilità Art. 5, 24 e altri
• Il titolare del trattamento è competente .... e in
grado di comprovarlo («responsabilizzazione»).
• Titolari e responsabili hanno l’obbligo di dimostrare
la conformità con i Principi della normativa, e quindi
l’obbligo di tracciare le attività di trattamento e la
liceità, la raccolta delle informazioni e dei consensi,
le attività di gestione, le misure di sicurezza
adottate, gli accessi, ecc..
• Obbligo ai “Registri delle Attività di Trattamento”
(Art. 30)
• Valutazione d’Impatto (At. 35)
By Design and By Default Art 25
• «..misure tecniche e organizzative adeguate,
quali la pseudonimizzazione, voltead attuare in
modo efficace i principi di protezione dei dati,
quali la minimizzazione, e a integrare nel
trattamento le necessarie garanzie» per la
conformità alla normativa e la tutela dei diritti
dell’interessato
• «... che siano trattati, per impostazione
predefinita, solo i dati personali necessari ...
Tale obbligo vale per la quantità dei dati
personali raccolti, la portata del trattamento, il
periodo di conservazione e l'accessibilità»
• «.. non siano resi accessibili dati personali a un
numero indefinito di persone fisiche ..»
Liceità e Consenso (Art 5-8)
• I dati personali sono: trattati in modo lecito, corretto e trasparente.. ; raccolti
per finalità determinate, esplicite e legittime...; adeguati, pertinenti e limitati a
quanto necessario ..; conservati in una forma che consental'identificazione
degli interessati ...;
• Liceità (Art 6)
• Consenso (Art. 7 e 8)
Diritti dei cittadini europei Art. 12 to 20 e altri
• Trasparenza
• Diritto all’accesso, rettifica e cancellazione (diritto
“all’oblio”)
• Diritto di limitazione al trattamento
• Diritto alla portabilità dei dati
• Diritto di opposizione e processo decisionale
automatizzato
• Diritto di reclamo e ricorso (Art. 77-79)
• Diritto al risarcimento (Art. 82)
Assessmen
t & Clean
Up
Archiving
Legal
Curation
Records &
Retention
By Design
and BY
Default
Liceità e
Consenso
Responsabilit
à Data
Breaches
Conoscenza
dei dati
Diritti
dei
residenti
in
Europa
Normativa GDPR: doveri e obblighi fondamentali

8. 8 IBM Security8
Information Security and Data Privacy are correlated but
different and must be managed accurately
Information Security and Data Privacy: differences and interactions
Information Security
Information security is all of the practices and
processes that are in place to ensure data is
not being accessed or used by unauthorized
individuals or parties. It covers a wider array of
data than personal data, because it includes the
protection of all the information and asset
managed for the business.
Organizational, Technical and Physical Controls;
mostly as per Industry Standards (ISO 27001).
Some Examples:
• Information Security Policy
• Security Risk analysis, Security Risk Treatment
Plan, Information Security Appropriate
organizational and technological Measure
• Security Incidence Response Plan
• IAM (Identity and Access Management)
• SIEM (Security Incident and Event
Management)
• Data Security
• Firewalls
• Encryption
• Locks, guards, video surveillance
Data Privacy
Data privacy is concerned with establishing rules
that govern the collection and handling of
personal information. Handling personal data
includes processing, use, transfer, sharing and
deletion.
• Privacy Strategy Policy
• Privacy Risk Analysis, Privacy Risk Treatmen
Plan: Privacy appropriate organizational and
technological Privacy Measure
• Privacy Treatment registrations
• Collection Minimization, Transparency
• Notice, Choice, Consent
• Purpose Specification, Use Limitation
• Data Security
• Access, Rectification and Erasure … Rights of
Data Subjects
• Retention Periods
• 3rd Party Vendor Requirements
• Cross-border Export Restrictions
• Cross-border Access Restrictions
• Data Breach Notification
• Accountability

9. 9 IBM Security
(Personal) Data Processing activities built upon a reliable infrastructure
Users
DBA
Infrastructure IT Hygiene
Enterprise
Rules
Server & endpoint security
Perimeter Security
App
Data
DataEncryptDBs
Protect Keys
Data
Encryption
Discovery & Classify Data
Monitor and Log Activity
Enforce policies
Monitor DBAs
Real-Time
Data Protection
Extract Data
Mask Data
Data Copy
Check App Code Security
Correct Vulnerabilities
Application
Quality
Identity
Governance
Audit the authorizations currently existing in the systems
Manage re-certification campaigns
Ensure separation of duty
Privileged
Identities
Control Admins
Access
Control
Flexible policies
Risk-Based Authentication
Multi-Factor & Biometry
Correlate events, traffic flows,
Behaviour Analysis..
Identify Incidents
Forensic Analysis
Manage Incidents
Security
Analytics
Incident
Response
Users
Activity
App
Activity
Data
Activity
Infrastructure
Activity

10. 10 IBM Security
(Personal) Data Processing activities built upon a reliable infrastructure
Users
DBA
Infrastructure IT Hygiene
Enterprise
Rules
Server & endpoint security
Perimeter Security
App
Data
DataEncryptDBs
Protect Keys
Data
Encryption
Discovery & Classify Data
Monitor and Log Activity
Enforce policies
Monitor DBAs
Real-Time
Data Protection
Extract Data
Mask Data
Data Copy
Check App Code Security
Correct Vulnerabilities
Application
Quality
Identity
Governance
Audit the authorizations currently existing in the systems
Manage re-certification campaigns
Ensure separation of duty
Privileged
Identities
Control Admins
Access
Control
Flexible policies
Risk-Based Authentication
Multi-Factor & Biometry
Correlate events, traffic flows,
Behaviour Analysis..
Identify Incidents
Forensic Analysis
Manage Incidents
Security
Analytics
Incident
Response
Users
Activity
App
Activity
Data
Activity
Infrastructure
Activity
Privileged
Identity
Manager
Identity
Governanc
e
Security
Access
Manager
AppScan
Guardium
Data
Protection
Guardium
Data
Encryption
BigFix
MaaS360
XGS
QRadar
Resilient

11. 11 IBM Security
(Personal) Data Processing activities built upon a reliable infrastructure
Users
DBA
Infrastructure IT Hygiene
Enterprise
Rules
Server & endpoint security
Perimeter Security
App
Data
DataEncryptDBs
Protect Keys
Data
Encryption
Discovery & Classify Data
Monitor and Log Activity
Enforce policies
Monitor DBAs
Real-Time
Data Protection
Extract Data
Mask Data
Data Copy
Check App Code Security
Correct Vulnerabilities
Application
Quality
Identity
Governance
Audit the authorizations currently existing in the systems
Manage re-certification campaigns
Ensure separation of duty
Privileged
Identities
Control Admins
Access
Control
Flexible policies
Risk-Based Authentication
Multi-Factor & Biometry
Correlate events, traffic flows,
Behaviour Analysis..
Identify Incidents
Forensic Analysis
Manage Incidents
Security
Analytics
Incident
Response
Users
Activity
App
Activity
Data
Activity
Infrastructure
Activity

12. 12 IBM Security
Is this really sustainable ?
Threats Alerts Analysts
available
Quick Insights : Current Security Status
Available
time
”93% SOC Managers Not Able to Triage All Potential Threats”
“42 percent of cybersecurity professionals working at enterprise organizations claim
that they ignore a ‘significant number of security alerts’”
“(31 percent) of organizations forced to ignore security alerts claim they ignore 50
percent or more security alerts because they can’t keep up with the overall volume”
Knowledge
needed

13. 13 IBM Security
Evolving to meet current and future security operations needs with
cognitive enabled cyber security
Grep
Cognitive security solutions
harness the power of language
comprehension in performing
threat research, apply
deductive reasoning and self-
learning capabilities to direct
security practitioners to
contextually relevant information
and deliver advise on the
course of action
Grep
Search
Pattern
Matching
Correlation
and rules
Behavioral
Analytics
Cognition
Increasing data volumes, variety and complexity
Increasingattackandthreatsophistication
Recognition of threats & risks
Reasoning about
threats & risks
Helping security teams not only detect a security threat is but also resolving the what, how,
why, when and who to improve the overall incident response timeline

14. 14 IBM Security
Traditional
Security Data
A tremendous amount of security knowledge is created for human
consumption, but most of it is untapped
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Conference presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds

15. 15 IBM Security
IBM QRadar Intelligence and Analytics Platform
Advanced
Threat
Detection
Insider
Threat
Detection
Risk &
Vulnerability
Management
Critical Data
Protection
Incident
Response
Compliance
Reporting
Securing
Cloud
USE
CASES
ACTION
ENGINE
COLLECTION
DEPLOYMENT MODELS
Behavior-Based
Analytics
PRIORITIZED INCIDENTS
Context-Based
Analytics
Time-Based
Analytics
QRadar
Sense
Analytics
Third-Party
Usage
Automation WorkflowsDashboards Visualizations
ON PREM AS A SERVICE CLOUD HYBRID
Business
SystemsCloud Infrastructure Threat Intel Applications
Capability
and Threat
Intelligence
Collaboration
Platforms
App
Exchange
X-Force
Exchange

16. 16 IBM Security
Solutions for the full Security Intelligence timeline
What was the impact
to the organization?
What security incidents
are happening right now?
Are we configured
to protect against
advanced threats?
What are the major risks
and vulnerabilities?
• Risk Management.
• Vulnerability Management.
• Configuration and Patch Management.
• X-Force Research and Threat
Intelligence.
• Compliance Management.
• Reporting and Scorecards.
• Network and Host Intrusion Prevention.
• Network Anomaly Detection. Packet
Forensics.
• Database Activity Monitoring.
• Data Leak Prevention.
• Security Information and Event
Management.
• Log Management.
• Incident Response.
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-ExploitVulnerability Pre-Exploit
PREDICTION/ PREVENTION PHASE
Security Intelligence

17. 17 IBM Security
Security Intelligence – Clear Visibility & Increased Accuracy
Dynamic Threat Environment Requires Clear Visibility &
Increased Accuracy
Taking in data from wide spectrum of feeds + continually adding context
Correlation
§ Logs/events
§ Network Flows
§ Geographic Location
Activity baselining and
anomaly detection
§ User activity
§ Database activity
§ Application activity
§ Network activity
Security devices
Servers and mainframes
Network and virtual
activity
Data activity
Application activity
Configuration information
Vulnerabilities and threats
Users and identities
Offense identification
§ Credibility
§ Severity
§ Relevance
Suspected
incidents
True
offense
Extensive data sources Deep intelligence
Exceptionally accurate
and actionable insight+ =
Security Intelligence Feeds
Internet Threats, Geo Location, …

18. 18 IBM Security
Command console for Security Intelligence
• Provides full visibility and actionable insight to protect against advanced threats
• Adds network flow capture and analysis for deep application insight
• Employs sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to
identify and prioritize threats
• Contains workflow management to fully track threats and ensure resolution
• Uses scalable hardware, software and virtual appliance architecture to support the largest deployments
SIEM

19. 19 IBM Security
Cyber threats rely on our networks to carry our their objectives
• >99% of cyber attacks traverse the network
in some way
– Email/Web
– Reconnaissance
– Command and control
– Data collection…
• Only insider attacks collecting local system
data and posting it to removable media do
not
– Source: Enterprise ManagementAssociates (EMA)
• Threat activity inherently leaves a trail of
evidence across our networks
– So the data needed to detect these threats is there if
you look deep enough
Most-common attack types1

20. 20 IBM Security
Taking flow analysis to the next level
“A network flow is, in essence, a record of a given conversation between two
hosts on a network… this information is much like a phone bill: you can't tell what
was said during the conversation, but you can use it to prove who talked to who” –
SANS Institute
QFlow provides all the benefits of network flows but will also recognize layer 7
applications and allows you to capture the beginning of the conversation
QRadar Network Insights will also let you know if suspect items or
topics of interest were discussed at anytime during the conversation
QRadar Incident Forensics and Network Packet Capture will capture,
reconstruct and replay the entire conversation
Incident Detection
Incident Response
IBM Confidential SHARED
UNDER NDA

21. 21 IBM Security
Differentiated by network flow analytics - QFlow
• Network traffic doesn’t lie. Attackers can stop logging and erase their tracks, but can’t cut off
the network (flow data)
̶ Deep packet inspection for Layer 7 flow data
̶ Pivoting, drill-down and data mining on flow sources for advanced detection and forensics
• Helps detect anomalies that might otherwise get missed
• Enables visibility into attacker communications

22. 22 IBM Security
Bringing visibility to today’s cyber security challenges
• Session reconstruction and application analysis
• Extraction of key metadata and content
• Full payload and application content analysis
• Real-time analysis of network traffic
• Intrinsic Suspect Content detection

23. 23 IBM Security
Differentiated by network flow analytics - Network Insights
• Innovative network analytics solution that will
quickly and easily detect insider threats, data
exfiltration and malware activity
• Logs and traditional network flow data are not
providing enough visibility
• Records application activities, captures artifacts,
and identifies assets, applications and users
participating in network communications
• Configurable analysis from network traffic for real
time threat detection and long-term retrospective
analysis
• New Appliance with out-of-the-box content on the
App Exchange for fast time to value and best
practices
• Filling in the important gaps
̶ What is out there ?
̶ Who is talking to whom ?
̶ What files and data are being exchanged ?
̶ Do they look malicious ?
̶ Do they contain any important or sensitive data ?
̶ Is this malicious application use ?
̶ Is this new threat on my network ?
̶ If so, it where is it and what did it do ?
Seamless integration across the QRadar platform:
ü Extends QRadar flow capabilities
ü QNI analysis fuels QRadar capabilities, content and Apps
ü Derives sense events for User Behavior Analytics for
improved insider risk assessments

24. 24 IBM Security
Our Security Intelligence platform delivers powerful capabilities IT Security Operations Teams
Tells you exactly when
an incidentoccurred
Delivers intelligenceto guide
forensicsinvestigations
Merges powerfulforensics
capability with simplicity
Next generation network forensics: know what happened, fast
Introducing QRadar Incident Forensics
Leveraging the strengths of QRadar to optimize the process of investigating
and gathering evidence on advanced attacks and data breaches
• Visually construct threat actor relationships
• Builds detailed user and application profiles across
multiple IDs
• Full packet capture for complete session reconstruction
• Unified view of all flow, user, event, and forensic
information
• Retrace activity in chronological order
• Integrated with QRadar to discover true offenses and
prioritize forensics investigations
• Enables search-driven data exploration to return
detailed, multi-level results in seconds

25. 25 IBM Security
EMAIL
Chat
Social
Web
Extended clarity
From session data analysis yielding
basic application insights
To full visualization of extended relationships
and embedded content
From standard asset
identity information
To rich visualizations of digital impressions
showing extended relationships

26. 26 IBM Security
Qradar Risk Manager adds pro-active capabilities
• Depicts network topology views and helps visualize current and alternative network traffic patterns
• Identifies active attack paths and assets at risk of exploit
• Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting
• Discovers firewall configuration errors and improves performance by eliminating ineffective rules
• Analyzes policy compliance for network traffic, topology and vulnerability exposures
Risk Manager

27. 27 IBM Security
IBM QRadar Vulnerability Manager
§ First VA solution integrated
with Security Intelligence
§ Dramatically improving
actionable information through
rich context
§ Reducing total cost of
ownership through product
consolidation
§ Providing unified view of all
vulnerability information
Log
Manager
SIEM
Network
Activity
Monitor
Forensics
Vulnerability
Manager
Security Intelligence is extending and transforming Vulnerability Management
– just as it did to Log Management
Solution Highlights

28. 28 IBM Security
Not Active: By leveraging Network Insights, QVM can tell if
the vulnerable application is active
Patched: By leveraging BigFix, QVM understands what
vulnerabilities will be patched
Blocked: By leveraging network topology, QVM can
understand what vulnerabilities are blocked by firewalls and
IPSs and XGS
Critical: By leveraging its vulnerability knowledge base,
remediation flow and QRM policies, QVM can identify
business critical vulnerabilities
At Risk: By utilizing X-Force threat and SIEM security
incident data, coupled with QFlow network traffic visibility,
QVM can tell if vulnerable assets are communicating with
potential threats
Exploited: By leveraging SIEM correlation and XGS data,
QVM can reveal what vulnerabilities have been exploited
IBM QRadar Vulnerability Manager: How it works

29. 29 IBM Security
Cybercriminals rarely act alone, neither should you!
• What you also need to do to stay ahead of the threat
̶ Change the way teams collaborate for improved network security defenses.
̶ Raise the costs and reduce the opportunities for cybercriminals
• The solution
̶ IBM Security X-Force Exchange https://exchange.xforce.ibmcloud.com
• Provides aggregated threat intelligence and a platform for peer collaboration to add human context to machine-generated intelligence.
̶ IBM Security App Exchange http://apps.xforce.ibmcloud.com
• Provides a platform to share professionally developed tools and technologies, and also encourages rapid innovation through
crowdsourcing of client contributions.
Cybercriminals rarely act alone, neither should you!

30. 30 IBM Security
IBM Security App Exchange
Example: IBM QRadar User Behavior Analytics (UBA)
• QRadar UBA adds a user-centric view of network activities including a new tab and customizable
dashboard allowing security teams to quickly understand risky behaviors. It’s similar to the Offenses
tab in that it prioritizes or ranks incidents related to the triggering of behavioral or anomaly rules
associated with user actions.
• IBM QRadar platform extends to support an
integrated UBA approach to detect and
investigate user risk
• Enabled via IBM Security App Exchange –
QRadar UBA app available for download
• Leverage existing data set and analytics
platform reducing tool sprawl
Cybercriminals rarely act alone, neither should you!
Detect abnormal user behavior in one click
IBM QRadar User Behavior Analytics

31. 31 IBM Security
Cognitive Security Starts Here
IBM Security Introduces a Revolutionary Shift in Security Operations
• Employs powerful cognitive capabilities to
investigate and qualify security incidents and
anomalies on behalf of security analysts
• Powered by Watson for Cyber Security to tap into
vast amounts of security knowledge and deliver
insights relevant to specific security incidents
• Transforms SOC operations by addressing current
challenges that include skills shortages, alert
overloads, incident response delays, currency of
security information and process risks
• Designed to be easily consumable: delivered via
IBM Security App Exchange and deployed in
minutes
NEW! IBM QRadar Watson Advisor

32. 32 IBM Security
• Review the incident data
• Review the outlying events for anything
interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers
(e.g., unusual domains, IPs, file access)
• Expand your search to capture more data
around that incident
• Search for these outliers / indicators
using X-Force Exchange + Google +
Virus Total + your favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of compromise)
from additional web searches
• Investigate gathered IOC locally
• Find other internal IPs are potentially
infected with the same Malware
• Qualify the incident based on insights
gathered from threat research
• Start another investigation around each
of these IPs
Cognitive Tasks of a Security Analyst in Investigating an Incident
Time
consuming
threat
analysis
There’s got to be
an easier way!
Apply the intelligence and
investigate the incident
Gather the threat research,
develop expertise
Gain local context leading
to the incident

33. 33 IBM Security
Unlocking a new partnership between security analysts and their technology
QRadar Advisor complementing the investigative resources of a SOC
• Manage alerts
• Research security events and anomalies
• Evaluate user activity and vulnerabilities
• Configuration
• Other
• Data correlation
• Pattern identification
• Thresholds
• Policies
• Anomaly detection
• Prioritization
Security Analytics
Security Analysts Watson for Cyber Security
• Security knowledge
• Threat identification
• Reveal additional indicators
• Surface or derive relationships
• Evidence
• Local data mining
• Perform threat research using Watson for Cyber Security
• Qualify and relate threat research to security incidents
• Present findings
QRadar Watson Advisor
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor with
Watson
Watson
for Cyber
Security

34. 34 IBM Security
QRadar Advisor in Action
1. Offenses
5. Research results
Knowledge
graph
4. Performs threat
research and
develops expertise
3. Observables2. Gains local context
and forms threat
research strategy
Offense
context
Device
activities
Equivalency
relationships
6. Applies the intelligence
gathered to investigate
and qualify the incident
QRadar
Correlated enterprise data

35. 35 IBM Security
Gain local context leading to the incident and formulate a threat research
strategy

36. 36 IBM Security
Observables: Data used by QRadar Advisor
Observables: the finite set of discrete elements that are collected from an offense and related events that are
used by QRadar Watson Advisor for local analysis and external research. Only a subset are sent to Watson for
Cyber Security as observations of a potential threat
Observable
Type
Description Sent to
W4CS
Source IP External Source IPs that appear in an
offense – enforced by respecting the
Network Hierarchy defined in QRadar
Yes
Destination
IP
External Destination IPs that appear in an
offense – enforced by respecting the
Network Hierarchy defined in QRadar
Yes
File Hash Hash value of a file that is deemed
suspicious
Yes
URL External URLs that appear in an offense Yes
Domain External Domains that appear in an
offense
Yes
Destination
Port
Destination Ports belonging to Destination
IPs
No
User Agent The user agent identified by a browser or
HTTP application
No
AV
Signature
Malware signatures identified by antivirus
solutions
No
Email
Address
Email addresses associated with
suspicious emails
No
File Name Names of suspicious files No
Observable
Type
Description Sent to
W4CS
Source Port Source Ports belonging to Source IPs No
Destination
ASN
Autonomous System Number of a
destination IP address (from a DNS)
No
Source ASN Autonomous System Number of a source IP
address (from a DNS)
No
Destination
Country
Name of the destination country of outbound
communications
No
Source
Country
Name of source country of inbound
communications
No
Low Level
Category
Low level QRadar offense category No
High Level
Category
High level QRadar offense category No
Direction Direction of communication No
User name Aliases that may attempt to access critical
internal infrastructure
No

37. 37 IBM Security
Control, Privacy and Security of Transferring Observables
Control
• QRadar Watson Advisor
references the Network
Hiearchy defined in QRadar
• QRadar Administrator can
control which types of
observables are sent in the
QRadar Watson Advisor
administration page
• QRadar Administrator can
select which custom
properties are mapped to
observable types
Privacy
• Only external URLs,
domains, IPs, ports and and
values are sent to Watson
for Cyber Security
• After an investigation, all
observables sent to Watson
for Cyber Security are
destroyed, and the results of
the investigation are also not
persisted in the cloud
• Watson for Cyber Security
does not track the IPs or the
specific instance of QRadar
Watson Advisor submitting
the investigation requests to
preserve anonymity
Security
• Observables are sent via an
encrypted channel to
Watson for Cyber Security
• Watson for Cyber Security
isolates each customer’s
offense investigation
• Watson for Cyber Security
can only be accessed by
authorized QRadar Watson
Advisor apps

38. 38 IBM Security
Advanced Threat
Detection
Insider Threat
Securing the
Cloud
Risk and Vuln
Management
A security operations platform for todays and tomorrows needs
Critical Data
Protection
Compliance
Incident
Response
Fast to deploy, easy to manage,
and focused on your success

39. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU