IBM Security QRadar SIEM

Transcription

1 IBM Security QRadar SIEM Boost threat protection and compiance with an integrated investigative reporting system Highights Integrate og management and network threat protection technoogies within a common database and shared dashboard user interface Reduce thousands of security events into a manageabe ist of suspected offenses Detect and track maicious activity over extended time periods, heping to uncover advanced threats often missed by other security soutions Detect insider fraud with advanced capabiities Hep exceed reguation mandates and support compiance Today s networks are arger and more compex than ever before, and protecting them against maicious activity is a never-ending task. Organizations seeking to safeguard their inteectua property, protect their customer identities and avoid business disruptions need to do more than monitor ogs and network fow data; they need to everage advanced toos to detect these activities in a consumabe manner. IBM Security QRadar SIEM can serve as the anchor soution within a sma or arge organization s security operations center to coect, normaize and correate avaiabe network data using years worth of contextua insights. The resut is something caed security inteigence. At the heart of this product sits a highy scaabe database designed to capture rea-time og event and network fow data, reveaing the footprints of woud-be attackers. QRadar SIEM is an enterprise soution that consoidates og source event data from thousands of devices distributed across a network, storing every activity in its raw form, and then performing immediate correation activities to distinguish the rea threats from fase positives. It aso captures rea-time Layer 4 network fow data and, more uniquey, Layer 7 appication payoads, using deep packet inspection technoogy. An intuitive user interface shared across a QRadar famiy components heps IT personne quicky identify and remediate network attacks by rank, ordering hundreds of aerts and patterns of anomaous activity into a drasticay reduced number of offenses warranting further investigation.

2 Providing rea-time visibiity for threat detection and prioritization QRadar SIEM provides contextua and actionabe surveiance across the entire IT infrastructure, heping organizations detect and remediate threats often missed by other security soutions. These threats can incude inappropriate use of appications; insider fraud; and advanced, ow and sow threats easiy ost in the noise of miions of events. QRadar SIEM coects information that incudes: Security events: Events from firewas, virtua private networks, intrusion detection systems, intrusion prevention systems and more Network events: Events from switches, routers, servers, hosts and more Network activity context: Layer 7 appication context from network and appication traffic User or asset context: Contextua data from identity and access-management products and vunerabiity scanners Operating system information: Vendor name and version number specifics for network assets Appication ogs: Enterprise resource panning (ERP), workfow, appication databases, management patforms and more Reducing and prioritizing aerts to focus investigations into actionabe offenses Many organizations create miions or even biions of events per day, and distiing that data down to a short ist of priority offenses can be daunting. QRadar SIEM automaticay discovers most network og source devices and inspects network fow data to find and cassify vaid hosts and servers (assets) on the network tracking the appications, protocos, services and ports they use. It coects, stores and anayzes this data and performs rea-time event correation for use in threat detection and compiance reporting and auditing. Biions of events and fows can therefore be reduced and prioritized into a handfu of actionabe offenses, according to their business impact. As a resut, security professionas normay begin to see vaue from a QRadar SIEM instaation in days rather than weeks, and depoyments occur without a sma army of expensive consutants. Automatic discovery features and out-of-the-box tempates and fiters mean you don t spend months teaching the system about your environment as with more generaized IT operationa toos. The architecture empoys mutipe modes of event processor appiances, event coector appiances, fow processor appiances and a centra consoe, a avaiabe as hardware-based, software-ony or as virtua software appiances. Smaer instaations can start with a singe a-in-one soution and easiy be upgraded to consoe depoyments, adding event and fow processor appiances as needed. 2

3 Se c u rity d evic e s Servers a n d m a in fra m es Netw ork a n d virtu a a c tivity Da ta a c tivity Ap p ic a tion a c tivity Con fig u ra tion in form a tion Vu n era b iities a n d th re a ts Users a n d id entities Correation # Logs/events # Fows # reputation # Activity baseining and anomay detection # y # Data y # A y # Networ y Offense identi cation # Credibiity # Severity # Reevance Tru e offen se Su sp e c te d in c id ents Ex ten sive d a ta s ou rc es De ep in teig en c e Exc ep tion a y a c c u ra te a n d a c tion a b e in sight QRadar SIEM captures data across a broad range of feeds, reducing it to a manageabe ist of offenses using pre-existing and customer-defined rues. Answering key questions for more effective threat management Security teams need to answer key questions to fuy understand the nature of their potentia threats: Who is attacking? What is being attacked? What is the business impact? Where do I investigate? QRadar SIEM tracks significant incidents and threats, buiding a history of supporting data and reevant information. Detais such as attack targets, point in time, asset vaue, vunerabiity state, offending users identities, attacker profies, active threats and records of previous offenses a hep provide security teams with the inteigence they need to act. Rea-time, ocation-based and historica searching of event and fow data for anaysis and forensics can greaty improve an organization s abiity to assess activities and resove incidents. With easy-to-use dashboards, time-series views, dri-down searching, packet-eve content visibiity and hundreds of predefined searches, users can quicky aggregate data to summarize and identify anomaies and top activity contributors. They can aso perform federated searches across arge, geographicay distributed environments. Gaining appication visibiity and anomay detection QRadar SIEM supports a variety of anomay detection capabiities to identify changes in behavior affecting appications, hosts, servers and areas of the network. For exampe, QRadar SIEM can detect off-hours or excessive usage of an appication or coud-based service, or network activity patterns that are inconsistent with historica, moving-average profies and seasona usage patterns. QRadar SIEM earns to recognize these daiy and weeky usage profies, heping IT personne to quicky identify meaningfu deviations. 3

4 The QRadar SIEM centraized database stores og source events and network fow traffic together, heping to correate discrete events with bidirectiona network fow activity emanating from the same IP source. It aso can group network fow traffic and record operations occurring within a narrow time period as a singe database entry to hep reduce storage consumption and conserve icense requirements. reated to a suspected offense. Furthermore, hundreds of tempates reevant to specific roes, devices, compiance reguations and vertica industries are avaiabe to speed report generation. Its abiity to detect appication traffic at Layer 7 enabes QRadar SIEM to provide accurate anaysis and insight into an organization s network for poicy, threat and genera network activity monitoring. With the addition of an IBM Security QRadar QFow or VFow Coector appiance, QRadar SIEM can monitor the use of appications such as ERP, databases, Skype, voice over IP (VoIP) and socia media from within the network. This incudes insight into who is using what, anaysis and aerts for content transmission, and correation with other network and og activity to revea inappropriate data transfers and excessive usage patterns. Whie QRadar SIEM ships with numerous anomay and behaviora detection rues, security teams can aso create their own through a fitering capabiity that enabes them to appy anomay detection against time-series data. Commanding a highy intuitive, one-consoe security soution QRadar SIEM provides a soid foundation for an organization s security operations center by providing a centraized user interface that offers roe-based access by function and a goba view to access rea-time anaysis, incident management and reporting. Five defaut dashboards are avaiabe incuding security, network activity, appication activity, system monitoring and compiance pus users can create and customize their own workspaces. How many targets invoved? What was the attack? Who was responsibe? When did a of this occur? Where do I nd them? Was it successfu? How vauabe are the targets? QRadar SIEM offers a weath of forensic detai behind every suspected offense and an abiity to tune existing rues or add new ones to reduce fase positives. Extending threat protection to virtua environments Since virtua servers are just as susceptibe to security vunera- as physica servers, comprehensive security inteigence biities soutions must aso incude appropriate measures to protect the appications and data residing within the virtua data center. Using QRadar VFow Coector appiances, IT professionas gain increased visibiity into the vast amount of business These dashboards make it easy to spot spikes in aert activity that may signa the beginnings of an attack. Cicking on a graph aunches a dri-down capabiity that enabes security teams to quicky investigate the highighted events or network fows 4

5 appication activity within their virtua networks and can better identify these appications for security monitoring, appication ayer behavior anaysis and anomay detection. Operators can aso capture appication content for deeper security and poicy forensics. Producing detaied data access and user activity reports to manage compiance QRadar SIEM provides the transparency, accountabiity and measurabiity critica to an organization s success in meeting reguatory mandates and reporting on compiance. The soution s abiity to correate and integrate surveiance feeds yieds more compete metrics reporting on IT risks for auditors, as we as hundreds of reports and rues tempates to address industry compiance requirements. Organizations can efficienty respond to compiance-driven IT security requirements with the extensibiity of QRadar SIEM to incude new definitions, reguations and best practices through automatic updates. In addition, profies of a network assets can be grouped by business function for exampe, servers that are subject to Heath Insurance Portabiity and Accountabiity Act (HIPAA) compiance audits. The soution s pre-buit dashboards, reports and rues tempates are designed for the foowing reguations and contro frameworks: CobiT, SOX, GLBA, NERC/FERC, FISMA, PCI DSS, HIPAA, UK GSi/GCSx, GPG and more. Adding high-avaiabiity and disaster-recovery capabiities To achieve high-avaiabiity and disaster-recovery capabiities, identica secondary systems can be paired with a members of the QRadar appiance famiy. From event processor appiances, to fow processor appiances, to a-in-one and consoe SIEM appiances, users can add robustness and protection where and when it is needed heping to ensure continuous operations. For organizations seeking business resiiency, QRadar highavaiabiity soutions deiver integrated automatic faiover and fu-disk synchronization between systems. These soutions are easiy depoyed through architecturay eegant pug-and-pay appiances, and there is no need for additiona third-party faut management products. For organizations seeking data protection and recovery, QRadar disaster-recovery soutions forward ive data (e.g., fows and events) from a primary QRadar system to a secondary parae system ocated at a separate faciity. Profiing for vunerabiities IBM Security QRadar Risk Manager compements QRadar SIEM by identifying a network s most vunerabe assets. It can immediatey generate aerts when these systems engage in activity that potentiay exposes them. For exampe, organizations can scan their networks for unpatched appications, devices and systems, determine which ones connect to the Internet and prioritize remediation based on the risk profie of each appication. For more information pease see the QRadar Risk Manager data sheet. Receiving comprehensive device support to capture network events and fows With support for more than 450 products from virtuay every eading vendor depoyed in enterprise networks, QRadar SIEM provides coection, anaysis and correation across a broad spectrum of systems, incuding networked soutions, security soutions, servers, hosts, operating systems and appications. In addition, QRadar SIEM is easiy extended to support proprietary appications and new systems from IBM and many other vendors. Why IBM? IBM operates the word s broadest security research, deveopment and deivery organization. IBM soutions empower organizations to reduce their security vunerabiities and focus more on the success of their strategic initiatives. 5

6 For more information To earn more about how IBM Security QRadar SIEM can sove your organization s threat management and compiance chaenges, contact your IBM representative or IBM Business Partner, or visit: ibm.com/security. About IBM Security soutions IBM Security offers one of the most advanced and integrated portfoios of enterprise security products and services. The portfoio, supported by word-renowned IBM X-Force research and deveopment, provides security inteigence to hep organizations hoisticay protect their peope, infrastructures, data and appications, offering soutions for identity and access management, database security, appication deveopment, risk management, endpoint management, network security and more. These soutions enabe organizations to effectivey manage risk and impement integrated security for mobie, coud, socia media and other enterprise business architectures. IBM operates one of the word s broadest security research, deveopment and deivery organizations, monitors 13 biion security events per day in more than 130 countries, and hods more than 3,000 security patents. Additionay, IBM Goba Financing can hep you acquire the software capabiities that your business needs in the most cost-effective and strategic way possibe. We partner with credit-quaified cients to customize a financing soution to suit your business and deveopment goas, enabe effective cash management, and improve your tota cost of ownership. Fund your critica IT investment and prope your business forward with IBM Goba Financing. For more information, visit: ibm.com/financing Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America January 2013 IBM, the IBM ogo, ibm.com, QRadar, and X-Force are trademarks of Internationa Business Machines Corp., registered in many jurisdictions wordwide. Other product and service names might be trademarks of IBM or other companies. A current ist of IBM trademarks is avaiabe on the web at Copyright and trademark information at ibm.com/ega/copytrade.shtm This document is current as of the initia date of pubication and may be changed by IBM at any time. Not a offerings are avaiabe in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The cient is responsibe for ensuring compiance with aws and reguations appicabe to it. IBM does not provide ega advice or represent or warrant that its services or products wi ensure that the cient is in compiance with any aw or reguation. IT system security invoves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can resut in information being atered, destroyed or misappropriated or can resut in damage to or misuse of your systems, incuding to attack others. No IT system or product shoud be considered competey secure and no singe product or security measure can be competey effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which wi necessariy invove additiona operationa procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the maicious or iega conduct of any party. Pease Recyce WGD03021-USEN-00