IBM QRadar Portfolio - eb- · PDF file · 2014-09-04What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and ... Discovers firewall

© 2013 IBM Corporation

IBM Security



IBM Security Systems

2

What is Security Intelligence?

Security Intelligence

--noun

1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise

Security Intelligence provides actionable and comprehensive

insight for managing risks and threats from protection and

detection through remediation



IBM Security

3

Security Intelligence & Business Intelligence offer insightful parallels

Managed Security Services

Mainframe and Server Security - RACF

SOA Security

Network Intrusion Prevention

Database Monitoring

Identity and Access Management

Application Security

Security as a Service

Compliance Management


IBM Security Intelligence

DASCOM

Enterprise Reporting

Performance Management Platform

Business Intelligence Suite

IOD Business Optimization

BI Convergence with Collaboration

Text & Social Media Analytics

Simplified Delivery (i.e., Cloud )

Predictive Analytics

Decision Management

BI Convergence with Security

IBM Business Intelligence

Mark

et

Ch

an

ges

Time



IBM Security

4

Organizations are failing at early breach detection, with more than 85% of breaches undetected by the breached organization.*

(...)

It is the combination of real-time security monitoring, context (threat, vulnerability, user, asset, data and application) and "smart eyeballs" on dally activity reports that will improve your chances of early breach detection beyond the current 15% success rate.

Gartner “Using SIEM for Targeted Attack Detection” (March 2012)

* 2011 Data Breach Investigations Report — Verizon Business Systems.

Security Intelligence & the “Why More Context”




5

Solutions for the full Security Intelligence timeline

Prediction & Prevention Reaction & Remediation

Network and Host Intrusion Prevention.

Network Anomaly Detection. Packet Forensics.

Database Activity Monitoring. Data Leak Prevention.

Security Information and Event Management.

Log Management. Incident Response.

Risk Management. Vulnerability Management.

Configuration and Patch Management.

X-Force Research and Threat Intelligence.

Compliance Management.

Reporting and Scorecards.

What are the external

and internal threats?

Are we configured

to protect against

these threats?

What is

happening right

now?

What was the

impact?

IBM Security Intelligence



6

Built upon common foundation of QRadar SIOS

Reporting Engine

Workflow Rules Engine Real-Time

Viewer

Analytics Engine

Warehouse Archival


Solutions

Security Intelligence Operating

System (SIOS)

Normalization

IBM QRadar Platform

QRadar Log Manager

QRadar SIEM QRadar Risk

Manager

QRadar QFlow and

VFlow

QRadar Vulnerability

Manager



8

And continually adding context for increased accuracy

Security Intelligence Feeds

Internet Threats Geo Location Vulnerabilities

IBM QRadar Platform



9

Deployed upon scalable appliance architecture

Network and

Application

Visibility

• Layer 7 application monitoring

• Content capture for deep insight & forensics

• Physical and virtual environments

• Log, flow, vulnerability & identity correlation

• Sophisticated asset profiling

• Offense management and workflow

SIEM

Network

Activity &

Anomaly

Detection

• Network analytics

• Behavioral anomaly detection

• Fully integrated in SIEM

• Turn-key log management and reporting

• SME to Enterprise

• Upgradeable to enterprise SIEM

Log

Management

Scale

• Event Processors

• Network Activity Processors

• High Availability & Disaster Recovery

• Stackable Expansion

• Network security configuration monitoring

• Vulnerability scanning & prioritization

• Predictive threat modeling & simulation

Configuration

& Vulnerability

Management

IBM QRadar Platform



10

Using fully integrated architecture and interface

• Turn-key log management and reporting

• SME to Enterprise

• Upgradeable to enterprise SIEM

• Log, flow, vulnerability & identity correlation

• Sophisticated asset profiling

• Offense management and workflow

• Network security configuration monitoring

• Vulnerability prioritization

• Predictive threat modeling & simulation

SIEM

Log

Management

Configuration

& Vulnerability

Management

Network

Activity &

Anomaly

Detection

Network and

Application

Visibility

• Network analytics

• Behavioral anomaly detection

• Fully integrated in SIEM

• Layer 7 application monitoring

• Content capture for deep insight & forensics

• Physical and virtual environments

One Console Security

Built on a Single Data Architecture

IBM QRadar Platform



11

Network traffic doesn’t lie. Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)

• Deep packet inspection for Layer 7 flow data

• Pivoting, drill-down and data mining on flow sources for advanced detection and forensics

Helps detect anomalies that might otherwise get missed

Enables visibility into attacker communications

Differentiated by network flow analytics

IBM QRadar Platform



12

Continued journey towards Total Security Intelligence

IBM QRadar Security Intelligence



13

Reporting Engine


Viewer

Analytics Engine

Warehouse Archival


Solutions


System (SIOS)

Normalization

QRadar Log Manager


Manager

QRadar QFlow and

VFlow


Manager

IBM QRadar SIEM



14

QRadar SIEM: Command console for Security Intelligence

Provides full visibility and

actionable insight to protect

against advanced threats

Adds network flow capture

and analysis for deep

application insight

Employs sophisticated

correlation of events, flows,

assets, topologies,

vulnerabilities and external

data to identify and prioritize

threats

Contains workflow management to fully track threats

and ensure resolution

Uses scalable hardware, software and virtual

appliance architecture to support the largest

deployments

IBM QRadar SIEM



15

Helps detect zero-day attacks that have no signature

Enables policy monitoring and rogue server identification

Provides visibility into all attacker communications

Uses passive monitoring to build asset profiles and classify hosts

Improves network visibility and helps resolve traffic problems

Flows provide context for true network intelligence

IBM QRadar SIEM



16

Reporting Engine


Viewer

Analytics Engine

Warehouse Archival


Solutions


System (SIOS)

Normalization

QRadar Log Manager

QRadar Risk Manager

QRadar SIEM QRadar

QFlow and VFlow


Manager

IBM QRadar Risk Manager



17

QRadar Risk Manager: Visualize network, configurations and risks

Depicts network topology views and helps visualize current and alternative network traffic patterns

Identifies active attack paths and assets at risk of exploit

Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting

Discovers firewall configuration errors and improves performance by eliminating ineffective rules

Analyzes policy compliance for network traffic, topology and vulnerability exposures




18

Investigating offense attack path

Clicking ‘attack path’ button for an offense performs search showing precise

path (and all permutations) between involved source and destination IPs

Firewall rules enabling the attack path can then be quickly analyzed to

understand the exposure

Allows “virtual patch” to be applied by quickly showing which firewall rules may

be changed to immediately shut down attack path—before patching or other

configuration changes can typically be implemented




19

Reporting Engine


Viewer

Analytics Engine

Warehouse Archival


Solutions


System (SIOS)

Normalization

QRadar Log Manager

QRadar Risk Manager

QRadar SIEM QRadar

QFlow and VFlow


Manager

IBM QRadar Vulnerability Manager



20

Strengthened by integrated vulnerability insights


Manager

Questions remain: •Has that been patched?

•Has it been exploited?

•Is it likely to be exploited ?

•Does my firewall block it?

•Does my IPS block it?

•Does it matter?

Existing vulnerability

management tools

Improves visibility

– Intelligent, event-driven scanning, asset discovery, asset profiling and more

Reduces data load

– Bringing rich context to Vulnerability Management

Breaks down silos

– Leveraging all QRadar integrations and data

– Unified vulnerability view across all products

Answers delivered: •Real-time scanning

•Early warning capabilities

•Advanced pivoting and

filtering

Security

Intelligence

Integration




21

QVM enables customers to interpret ‘sea’ of vulnerabilities

CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
















Inactive

Inactive: QFlow

Collector data helps


Manager sense

application activity Blocked

Blocked: QRadar

Risk Manager helps

QVM understand

which vulnerabilities

are blocked by

firewalls and IPSs Patched

Patched: IBM

Endpoint Manager

helps QVM

understand which

vulnerabilities will be

patched

Critcal

Critical: Vulnerability

knowledge base,

remediation flow and

QRM policies inform

QVM about business

critical vulnerabilities

At Risk: X-Force Threat and SIEM

security incident data, coupled with

QFlow network traffic visibility, help

QVM see assets communicating with

potential threats

At Risk! Exploited!

Exploited: SIEM

correlation and IPS

data help QVM

reveal which

vulnerabilities have

been exploited




22


Reporting Engine


Viewer

Analytics Engine

Warehouse Archival


Solutions


System (SIOS)

Normalization

QRadar Log Manager


Manager

QRadar QFlow and

VFlow


Manager



23

QRadar Security Intelligence easily grows with your needs

Inject IBM X-Force Threat Research Intelligence - Provides intelligence feed to QRadar

- Includes vulnerabilities, IP reputations, malware reports

Add QRadar Risk Manager

– Enables pre-exploit configuration investigations

– Simplifies security policy reviews for compliance tests

– Provides network topology depictions and permits

attack simulations

Implement QRadar Vulnerability Manager

– Extends pre-exploit analysis - adds integrated,

vulnerability insights

– Reduces magnitude of pre-exploit conditions as QRadar

SIEM does for post-exploit conditions

– Helps identify and measure exposures to external threats

Upgrade Log Manager to QRadar SIEM

– Additional security telemetry data

– Rules-based correlation analysis engine

– Data overload reduction ‘magic’ compressing millions or

even billions of daily raw events to manageable list of issues




24

Some of QRadar’s unique advantages

Scalability for largest deployments, using an embedded database and unified data architecture

Impact: QRadar supports your business needs at any scale

Real-time correlation and anomaly detection based on broadest set of contextual data

Impact: More accurate threat detection, in real-time

Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more

Impact: Reduced manual effort, fast time to value, lower-cost operation

Integrated flow analytics with Layer 7 content (application) visibility

Impact: Superior situational awareness and threat identification

Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards

Impact: Maximum insight, business agility and lower cost of ownership




25

Time for a QRadar Demo?

Time for Q&A?



26

ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s

sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in

any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the

United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

THANK YOU

Documents

IBM QRadar Portfolio - eb- · PDF file · 2014-09-04What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and ... Discovers firewall