Embed Size (px)
DESCRIPTION
IBM Qradar SIEM
Citation preview
© 2012 IBM Corporation
IBM Security Systems
1
QRadar SIEM and Zscaler Nanolog Streaming Service
February 2014
© 2012 IBM Corporation
IBM Security Systems
2
QRadar SIEM: Security Intelligence Platform
QRadar SIEM provides full visibility and actionable
insight to protect networks and IT assets from a wide
range of advanced threats, while meeting critical
compliance mandates.
Key Capabilities:
• Sophisticated correlation of events, flows, assets, topologies,
vulnerabilities and external data to identify & prioritize threats
• Network flow capture and analysis for deep application insight
• Workflow management to fully track threats and ensure
resolution
© 2012 IBM Corporation
IBM Security Systems
3
IBM Security Intelligence
The Security Intelligence Life Cycle
© 2012 IBM Corporation
IBM Security Systems
4
Security Intelligence: Context and Correlation Drive Deep Insight
Extensive Data Sources
Deep Intelligence
Exceptionally Accurate and Actionable Insight + =
Suspected Incidents
Event Correlation
Activity Baselining & Anomaly
Detection
• Logs
• Flows • IP Reputation
• Geo Location
• User Activity
• Database Activity
• Application Activity
• Network Activity
Offense Identification
• Credibility
• Severity
• Relevance
Database Activity
Servers & Mainframes
Users & Identities
Vulnerability & Threat
Configuration Info
Security Devices
Network & Virtual Activity
Application Activity
True Offense
© 2012 IBM Corporation
IBM Security Systems
5
QRadar SIEM: Benefits
Reduce the risk and severity of security
breaches
Remediate security incidents quickly and
thoroughly
Ensure regulatory and internal policy
compliance
Reduce manual effort of security
intelligence operations
© 2012 IBM Corporation
IBM Security Systems
6
QRadar SIEM: Key Advantages
• Real-time activity correlation based on wide set of
contextual data
• Flow capture that delivers Layer 7 content visibility and
supports deep forensic examination
• Intelligent incident analysis that reduces false positives
and manual effort
• Unique combination of fast free-text search and
analysis of data that has a common taxonomy
© 2012 IBM Corporation
IBM Security Systems
7
Gartner Magic Quadrant for SIEM:
IBM/Q1 Labs SIEM is rated #1 for on “Ability to Execute” (the Y-axis)
and beat McAfee/Nitro, RSA, LogRhythm, and Splunk on
“Completeness of Vision” (the X-axis)
– Ability to execute is an assessment of overall viability, product
service, customer experience, market responsiveness, product
track record, sales execution, operations, and marketing
execution.
– Completeness of Vision is a rating of product strategy,
innovation, market understanding, geographic strategy, and
other factors
IBM/Q1 Labs in SIEM Leadership Quadrant for Fifth Straight Year “Magic Quadrant for Security Information and Event Management,” Gartner, 7 May 2013
What Gartner is Saying about IBM/Q1 Labs:
“QRadar is a good fit for midsize and large enterprises that need general SIEM capabilities and also for use
cases that require behavior analysis and NetFlow analysis.” Behavioral analysis is recognized by Gartner
as essential in the detection of advanced threats.
“Customer feedback indicates that the technology is relatively straightforward to deploy and maintain
across a wide range of deployment scales.”
“A distinguishing characteristic of the technology is the collection and processing of NetFlow data, deep
packet inspection (DPI) and behavior analysis for all supported event sources.”
© 2012 IBM Corporation
IBM Security Systems
8
QRadar SIEM: Product Tour of Integrated Console
• Single browser-based UI
• Role-based access to
information & functions
• Customizable dashboards
(work spaces) per user
• Real-time & historical
visibility and reporting
• Advanced data mining and drill down
• Easy to use rules engine with out-of-the-box security intelligence
© 2012 IBM Corporation
IBM Security Systems
9
QRadar & Zscaler Nanolog Streaming Service – Events coming in
© 2012 IBM Corporation
IBM Security Systems
10
QRadar & Zscaler Nanolog Streaming Service – Live Streaming
© 2012 IBM Corporation
IBM Security Systems
11
QRadar SIEM: Product Tour - the Intelligence of Offense
Management
QRadar SIEM reduces millions of events and flow records to the top
few threats and incidents – called Offenses
• Through correlation with contextual data (events, flows,
vulnerabilities, threat intelligence feeds)
• Rules engine creates an offense as a response to a
sequence of events, behavior,
Incident Response Teams and Security Administrators rely on
Offenses to determine what they need to remediate or investigate.
© 2012 IBM Corporation
IBM Security Systems
12
QRadar SIEM: Product Tour - the Intelligence of Offense
Management
There is a dashboard
widget for the Top
Offenses
Offense tab shows offenses currently open, with drill down to details
© 2012 IBM Corporation
IBM Security Systems
13
QRadar SIEM: Product Tour of Intelligent Offense Scoring
QRadar judges “magnitude” of offenses:
• Credibility:
A false positive or true positive?
• Severity:
Alarm level contrasted
with target vulnerability
• Relevance:
Priority according to asset or
network value
Priorities can change over
time based on situational
awareness
© 2012 IBM Corporation
IBM Security Systems
14
QRadar SIEM: Product Tour of Offense Tab
© 2012 IBM Corporation
IBM Security Systems
15
What was
the breach?
Who was
responsible?
Was it
successful?
Where do I
find them? How many
targets
involved?
Are any of them
vulnerable?
How valuable
are the targets to
the business?
QRadar SIEM: Offense triggers as a result of Zscaler events
Yes 8
© 2012 IBM Corporation
IBM Security Systems
16
Where is all
the evidence?
© 2012 IBM Corporation
IBM Security Systems
17
QRadar SIEM: Use Cases
QRadar SIEM excels at the most challenging use cases:
Complex threat detection
Malicious activity identification
User activity monitoring
Compliance monitoring
Fraud detection and data loss prevention
© 2012 IBM Corporation
IBM Security Systems
18
QRadar SIEM & Zscaler Use Cases
1. Potential botnet activity detected
QRadar running at an international financial services organization
receives 3 Zscaler NSS events indicating possible botnet command and
control traffic, which generates an offense. The magnitude of the offense
is increased to 10, when QRadar flow traffic confirms that multiple clients
have regularly connected to the same set of external IP addresses over
a period of 2 days.
2. Phishing threat detected
Zscaler NSS sends 3 events to QRadar warning that a website
containing potential phishing content has been contacted by 3
executives. QRadar generates a high magnitude offense when these
events are correlated with XForce data that identifies that site as a
phishing site. The SOC analyst changes the corporate Zscaler policy to
block that phishing site in the future
© 2012 IBM Corporation
IBM Security Systems
19
QRadar SIEM & Zscaler Use Cases
3. Social network site allowed for privileged mobile users
The severity of an event cautioning the use of a social network
site is lowered when QRadar compares the user who generated
the event with a reference set of mobile users who are permitted
to use the site. A false positive is avoided.
© 2012 IBM Corporation
IBM Security Systems
20
QRadar SIEM: Intelligent, Integrated and Automated
QRadar SIEM delivers full visibility
and actionable insight for
Total Security Intelligence.
1. Intelligence delivered through Offense Management and
identification of critical anomalies
2. Integrated with 100’s of data sources, such as Zscaler
Nanolog Streaming Service
3. Automated via 1000’s of rules and reports out of the box,
delivering rapid time to value and operational efficiency
