IBM Security
Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation 2
Market Changes Security Intelligence IBM Security Security Intelligence & Business Intelligence offer insightful parallels IBM Security Intelligence DASCOM Security as a Service Security Intelligence Managed Security Services Network Intrusion Prevention Compliance Management Database Monitoring SOA Security Application Security BI Convergence with Collaboration BI Convergence with Security Decision Management Simplified Delivery (i.e., Cloud ) Identity and Access Management Text & Social Media Analytics Mainframe and Server Security - RACF Predictive Analytics IOD Business Optimization IBM Business Intelligence Performance Management Platform Business Intelligence Suite Enterprise Reporting Time 3
Security Intelligence IBM Security Security Intelligence & the Why More Context Organizations are failing at early breach detection, with more than 85% of breaches undetected by the breached organization.* (...) It is the combination of real-time security monitoring, context (threat, vulnerability, user, asset, data and application) and "smart eyeballs" on dally activity reports that will improve your chances of early breach detection beyond the current 15% success rate. Gartner Using SIEM for Targeted Attack Detection (March 2012) * 2011 Data Breach Investigations Report Verizon Business Systems. 4
IBM Security Intelligence Solutions for the full Security Intelligence timeline What are the external and internal threats? Are we configured to protect against these threats? What is happening right now? What was the impact? Prediction & Prevention Risk Management. Vulnerability Management. Configuration and Patch Management. X-Force Research and Threat Intelligence. Compliance Management. Reporting and Scorecards. Reaction & Remediation Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Leak Prevention. Security Information and Event Management. Log Management. Incident Response. 5
IBM QRadar Platform Built upon common foundation of QRadar SIOS Security Intelligence Solutions QRadar Log QRadar SIEM QRadar Risk QRadar QFlow and VFlow QRadar Vulnerability Reporting Engine Workflow Rules Engine Real-Time Viewer Security Intelligence Operating System (SIOS) Warehouse Analytics Engine Normalization Archival 6
IBM QRadar Platform And continually adding context for increased accuracy Security Intelligence Feeds Geo Location Internet Threats Vulnerabilities 8
IBM QRadar Platform Deployed upon scalable appliance architecture Scale Event Processors Network Activity Processors High Availability & Disaster Recovery Stackable Expansion Log Management Turn-key log management and reporting SME to Enterprise Upgradeable to enterprise SIEM SIEM Log, flow, vulnerability & identity correlation Sophisticated asset profiling Offense management and workflow Configuration & Vulnerability Management Network security configuration monitoring Vulnerability scanning & prioritization Predictive threat modeling & simulation Network Activity & Anomaly Detection Network analytics Behavioral anomaly detection Fully integrated in SIEM Network and Application Visibility Layer 7 application monitoring Content capture for deep insight & forensics Physical and virtual environments 9
IBM QRadar Platform Using fully integrated architecture and interface Log Management One Console Security Turn-key log management and reporting SME to Enterprise Upgradeable to enterprise SIEM SIEM Log, flow, vulnerability & identity correlation Sophisticated asset profiling Offense management and workflow Configuration & Vulnerability Management Network security configuration monitoring Vulnerability prioritization Predictive threat modeling & simulation Network Activity & Anomaly Detection Network analytics Behavioral anomaly detection Fully integrated in SIEM Network and Application Visibility Layer 7 application monitoring Content capture for deep insight & forensics Physical and virtual environments Built on a Single Data Architecture 10
IBM QRadar Platform Differentiated by network flow analytics Network traffic doesn t lie. Attackers can stop logging and erase their tracks, but can t cut off the network (flow data) Deep packet inspection for Layer 7 flow data Pivoting, drill-down and data mining on flow sources for advanced detection and forensics Helps detect anomalies that might otherwise get missed Enables visibility into attacker communications 11
IBM QRadar Security Intelligence Continued journey towards Total Security Intelligence 12
IBM QRadar SIEM Security Intelligence Solutions QRadar Log QRadar SIEM QRadar Risk QRadar QFlow and VFlow QRadar Vulnerability Reporting Engine Workflow Rules Engine Real-Time Viewer Security Intelligence Operating System (SIOS) Warehouse Analytics Engine Normalization Archival 13
IBM QRadar SIEM QRadar SIEM: Command console for Security Intelligence Provides full visibility and actionable insight to protect against advanced threats Adds network flow capture and analysis for deep application insight Employs sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to identify and prioritize threats Contains workflow management to fully track threats and ensure resolution Uses scalable hardware, software and virtual appliance architecture to support the largest deployments 14
IBM QRadar SIEM Flows provide context for true network intelligence Helps detect zero-day attacks that have no signature Enables policy monitoring and rogue server identification Provides visibility into all attacker communications Uses passive monitoring to build asset profiles and classify hosts Improves network visibility and helps resolve traffic problems 15
IBM QRadar Risk Security Intelligence Solutions QRadar Log QRadar SIEM QRadar Risk QRadar QFlow and VFlow QRadar Vulnerability Reporting Engine Workflow Rules Engine Real-Time Viewer Security Intelligence Operating System (SIOS) Warehouse Analytics Engine Normalization Archival 16
IBM QRadar Risk QRadar Risk : Visualize network, configurations and risks Depicts network topology views and helps visualize current and alternative network traffic patterns Identifies active attack paths and assets at risk of exploit Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting Discovers firewall configuration errors and improves performance by eliminating ineffective rules Analyzes policy compliance for network traffic, topology and vulnerability exposures 17
IBM QRadar Risk Investigating offense attack path Clicking attack path button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure Allows virtual patch to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path before patching or other configuration changes can typically be implemented 18
IBM QRadar Vulnerability Security Intelligence Solutions QRadar Log QRadar SIEM QRadar Risk QRadar QFlow and VFlow QRadar Vulnerability Reporting Engine Workflow Rules Engine Real-Time Viewer Security Intelligence Operating System (SIOS) Warehouse Analytics Engine Normalization Archival 19
IBM QRadar Vulnerability Strengthened by integrated vulnerability insights Existing vulnerability management tools Security Intelligence Integration QRadar Vulnerability Questions remain: Has that been patched? Has it been exploited? Is it likely to be exploited? Does my firewall block it? Does my IPS block it? Does it matter? Improves visibility Intelligent, event-driven scanning, asset discovery, asset profiling and more Reduces data load Bringing rich context to Vulnerability Management Breaks down silos Leveraging all QRadar integrations and data Unified vulnerability view across all products Answers delivered: Real-time scanning Early warning capabilities Advanced pivoting and filtering 20
IBM QRadar Vulnerability QVM enables customers to interpret sea of vulnerabilities Inactive: QFlow Collector data helps QRadar Vulnerability sense application activity Patched: IBM Endpoint helps QVM understand which vulnerabilities will be patched Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities Inactive CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Blocked CVE CVE CVE CVE CVE CVE Patched CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE Critcal CVE CVE CVE CVE At CVE Risk! CVE CVE CVE Exploited! CVE CVE CVE CVE At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats Blocked: QRadar Risk helps QVM understand which vulnerabilities are blocked by firewalls and IPSs Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited 21
IBM QRadar Security Intelligence Security Intelligence Solutions QRadar Log QRadar SIEM QRadar Risk QRadar QFlow and VFlow QRadar Vulnerability Reporting Engine Workflow Rules Engine Real-Time Viewer Security Intelligence Operating System (SIOS) Warehouse Analytics Engine Normalization Archival 22
IBM QRadar Security Intelligence QRadar Security Intelligence easily grows with your needs Implement QRadar Vulnerability Extends pre-exploit analysis - adds integrated, vulnerability insights Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions Helps identify and measure exposures to external threats Add QRadar Risk Enables pre-exploit configuration investigations Simplifies security policy reviews for compliance tests Provides network topology depictions and permits attack simulations Upgrade Log to QRadar SIEM Additional security telemetry data Rules-based correlation analysis engine Data overload reduction magic compressing millions or even billions of daily raw events to manageable list of issues Inject IBM X-Force Threat Research Intelligence - Provides intelligence feed to QRadar - Includes vulnerabilities, IP reputations, malware reports 23
IBM QRadar Security Intelligence Some of QRadar s unique advantages Scalability for largest deployments, using an embedded database and unified data architecture Impact: QRadar supports your business needs at any scale Real-time correlation and anomaly detection based on broadest set of contextual data Impact: More accurate threat detection, in real-time Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more Impact: Reduced manual effort, fast time to value, lower-cost operation Integrated flow analytics with Layer 7 content (application) visibility Impact: Superior situational awareness and threat identification Flexibility and ease of use enabling mere mortals to create and edit correlation rules, reports and dashboards Impact: Maximum insight, business agility and lower cost of ownership 24
Time for a QRadar Demo? Time for Q&A? 25
THANK YOU ibm.com/security 26 Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.