View
358
Download
14
Category
Tags:
Preview:
Citation preview
© 2015 IBM Corporation
IBM Security
1 1 © 2015 IBM Corporation
IBM SECURITY QRADAR FOR SERVICE PROVIDERS Extending Market Reach Through Multi-Tenancy & SaaSVijay DheapGlobal Product Manager
QRadar
© 2015 IBM Corporation
IBM Security
2 2
Agenda
Motivations
QRadar Multi-Tenancy
QRadar Master Console
Security Intelligence on Cloud
Partnering with IBM
© 2015 IBM Corporation
IBM Security
4 4
It’s A Not So Friendly Cyber World…and Many are Ill-Equipped
Risks abound and cost continues to grow
Limitations in even grasping an organization’s security posture constraints the ability to adapt it…
© 2015 IBM Corporation
IBM Security
5 5
Organizations of All Sizes Plan on Raising their Basic Security IQ
Growing Demand needs to be served by the the Best in Class solution – QRadar and Service Providers provide not just the reach but also the expertise to onboard and support these organizations on their security intelligence journey
© 2015 IBM Corporation
IBM Security
6 6
Service Provider Requirements to Serve this Market Demand
Offer range of security intelligence capabilities from basic to advanced to meet diverse spectrum of client needs
• Log Management• SIEM• Risk and vulnerability management• Network, app, and service usage visibility
Adaptive deployment options depending on client size and scale
• Dedicated environments for large institutions• Shared infrastructure for small/mid-size
organizations
Deliver rapid time-to-value• Quick deployment• Built-in intelligence• Out-of-the-box integrations
Minimize operational infrastructure costs and improve staff productivity
• Multi-tenancy• Cloud delivery options• Centralized dashboard
© 2015 IBM Corporation
IBM Security
7 7
Helping Service Providers Broaden Reach of Security Intelligence
Service Providers can extend Tier 1 security intelligence capabilities to small & mid-size organizations leveraging multi-tenancy
Customer A Customer B Customer C
Customer D
Master ConsoleService Providers can gain centralized visibility to multiple, diverse QRadar deployments – multi-tenant, or dedicated
Customer E
Service Providers can either deploy QRadar in the cloud or resell IBM Security Intelligence on Cloud Offering to minimize capital expenditures and offer an operating expense model for security intelligence for their customers
NewNewNewNew
NewNew
© 2015 IBM Corporation
IBM Security
9 9
MULTI-TENANTenables secure, rapid and cost effective delivery of security intelligence services
Multi-Tenant QRadar for Managed Security Service Providers
Scalable appliance architecture
Shared modular infrastructure
New centralized views and incident management Mixed single- and multi-tenanted deployment options True horizontal, snap-on scalability capabilities Extensive APIs for enterprise integration System configuration template support Cloud ready with support for 400+ out-of-the-box devices
Significant new capabilities to help Service Providers bring security to customers
IBM Security QRadar is:
AUTOMATEDdrives simplicity and accelerates time-to-value for service providers
SCALABLEscales from smallest to largest customers with centralized management of single- and multi-tenanted systems
INTELLIGENT AUTOMATED INTEGRATED
© 2015 IBM Corporation
IBM Security
10 10
Introducing the Domain Concept
Domains are building blocks for multi-tenant QRadarAllows for segregating overlapping IPsEnables categorizing sources of security data (ex. events, flows) into different setsFacilitates monitoring and analysis of one or more subsets to attain granular visibility
Domains can be defined at three levels:
Domain ADomain A Domain BDomain B
Collector-level
Collectors (events or flows) are used to distinguish among domains
Source-level
Domain ADomain A
Source 1Source 1
Source 2 Source 2
Domain BDomain B
Source 3Source 3
Properties-level
Log Source 4 Log Source 4
Domain ADomain A
Property iProperty i
Domain BDomain B
Property iiProperty ii
Property iiiProperty iii
Sources (log or flow) possibly aggregated by the same collector can be specified as belonging to different domains
Specific events within a log source can be associated to various domains
Increasing Priority
© 2015 IBM Corporation
IBM Security
11 11
Automatic Detection & The Default Domain
When no dedicated event collectors are assigned, new log sources are automatically detected and assigned to the default domain allowing Service Provider admin or global admin to make the domain assignment (if desired)
Prevents data leakage and enforces data separation across domains
When dedicated event collectors are assigned to a unique domain, new log sources are automatically detected and assigned to that domain
Domain ADomain A Domain BDomain B
Collector-level Source-level
Domain ADomain A
Source 1Source 1
Source 2 Source 2
Domain BDomain B
Source 3Source 3
Properties-level
Log Source 4 Log Source 4
Domain ADomain A
Property iProperty i
Domain BDomain B
Property iiProperty ii
Property iiiProperty iii
© 2015 IBM Corporation
IBM Security
13 13
Domain Support in Rules
Custom rules engine is now domain-aware, automatically isolating correlations from different domains
New domain test allows for cross domain correlations if desired or necessary
© 2015 IBM Corporation
IBM Security
14 14
Domain Support in Offenses
Domain information carried all the way through offense
© 2015 IBM Corporation
IBM Security
15 15
Domain Support Within Asset Model
Each asset is assigned to a domain Assets can have overlapping IP addresses
© 2015 IBM Corporation
IBM Security
16 16
Domain Support for Security Profiles
Security Profile can be restricted to one or more domains
Security Profile will restrict access to flows, events, assets, and offenses based on domain
© 2015 IBM Corporation
IBM Security
17 17
Controlled Access to Domains
New User Security Profiles can be instantiated to control access to domain data:Enables defining user access rights to one or more domainsAllows for delegation of responsibilities across domainsFacilitates defining domain specific visibility
Domain ADomain A Domain BDomain B
Once domains are defined, the next step is to control user privileges to those domains
Process in the QRadar Admin Console:1.Define Security Profiles for the Domains2.Associate users from those domains to the appropriate security profiles
© 2015 IBM Corporation
IBM Security
18 18
Vulnerability Management on a Domain Level
QRadar Vulnerability Manager allows asset profiles to be denoted with domain categorizations for exported scan results
Domain is defined per scanner for dynamic scanningDomain is a selectable criteria when filtering resultsCredentials controlled through the user’s security profile relating to the domain specifiedSaved searches for scan results will return assets that also match domain visibility of the user
Note a key value proposition of QRadar Vulnerability Manager is that scanners can be enabled on the deployed QRadar infrastructure without incurring additional infrastructure overhead.
© 2015 IBM Corporation
IBM Security
19 19
Summarizing QRadar Multi-Tenancy Capabilities for Service Providers
Supports multiple customers within single QRadar instance
Guarantees separate correlation processing for each client’s security data
Restricts client visibility to only their security data – logs, flows, offenses etc.
Permits vulnerability scan data sharing across all clients associated within common domain
Facilitates simplified system administration of all client domains
© 2015 IBM Corporation
IBM Security
21 21
Master Console: A Single View Across Multiple QRadar Deployments
Centralized health view and system monitoring
Additional planned capabilities:• Centralized offense view and management• Content Management
o Log Source Managemento Ruleso Reportso Saved Searcheso Dashboards
• User Accounts• Federated Search• Seat Management
Network A Network B Network C Network D Network E
Multi-tenant QRadar deployment
IBM Security Intelligence on Cloud
© 2015 IBM Corporation
IBM Security
22 22
Facilitating Access to Underlying QRadar Deployments
Pass-through APIs
Customer A
Customer B
Analyst
Service Provider analyst can employ Master Console Pass-through APIs to programmatically invoke QRadar APIs and build custom applications
Click-through Log-in
Customer A
Customer B
Service Provider analyst can log-in to specific QRadar deployment (managed from the Master Console) to get additional details needed for an investigative process
© 2015 IBM Corporation
IBM Security
23 23
Deploying Master Console
Master Console software package included in QRadar ISO at no additional cost – updates provided via fix central
Installs on Service Provider’s own hardware, VM or cloud instance using 8500 activation key - recommended specifications equivalent to QRadar 3105 hardware appliance
© 2015 IBM Corporation2525
IBM Security Systems
IBM Security Intelligence on Cloud
Service Highlights
• Security Intelligence as a Service
• X-Force Exchange integration
• Physically segregated client data
• Real time & historical correlation of assets, events, and vulnerabilities
• Advanced threat detection
• Configurable SOC and management dashboards
• Supports integrations of 450+ security & IT solutions
• Seamless integration with IBM Global SOC for additional Security Services
Secure robust
channel
Secure robust
channel
Software Gateways
Professionally deployed and managed solution enabling organizations and Service Providers to focus on monitoring security intelligence
operations
Professionally deployed and managed solution enabling organizations and Service Providers to focus on monitoring security intelligence
operations
Security Intelligence
© 2015 IBM Corporation
IBM Security
27 27
Go-To-Market Options
Application Specific Licensing (ASL)Appliances or software (including virtual appliances)Support either perpetual license or monthly payments
• Zero upfront costs – pay only for EPS or Flows consumed by customers every month or quarterly
• Earn discounts – as business pipeline scales earn discounted pricing or specify commitments to get discounted price up front
Removes restriction on how EPS and Flows are allocated across two or more customersCurrent, standard processes remain in place to establish an ASL agreement
ResellAppliances, software (including virtual appliances), or SaaS (IBM Security Intelligence on Cloud)Collaborate with IBM to design and develop your marketing materialRealize built-in margin and complement with value added servicesCurrent, standard processes remain in place to establish a Reseller agreement
© 2015 IBM Corporation
IBM Security
28 28
IBM Value Proposition for Service Providers
Best-in-Class Security Intelligence solution with flexibility to meet your needs• Full spectrum of Security Intelligence capabilities• On-premise or Cloud delivery• Dedicated environment or multi-tenant• Horizontally scalable
Choice of Go-to-Market options to suit various business models• Minimize up-front costs• Maximize margins• Maintain customer relationships
Rapid Time-to-Value• Simplified deployment options• Out-of-the-box security content and integrations
Platform for adding high-value services in cost-effective and streamlined fashion• Tailored security building blocks• Single Pane of Glass for security monitoring and management
© 2015 IBM Corporation
IBM Security
29 29
Contact your Local IBM Representative
Middle East & Africa
Jean-Luc Labbe
jean-luc.labbe@it.ibm.com
North America
Chad Kinter
ckinter@us.ibm.com
Europe
Serge Richard
serge.richard@fr.ibm.com
Asia Pacific
John SK Chai
chaiskj@sg.ibm.com
Worldwide Sales
Bill Wallace
bwallac@us.ibm.com
© 2015 IBM Corporation
IBM Security
30 30
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY
Recommended