IBM SECURITY QRADAR INCIDENT FORENSICS

Similar documents
IBM Security Intelligence Strategy

IBM QRadar Security Intelligence April 2013

QRadar SIEM and FireEye MPS Integration

The webinar will begin shortly

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

IBM Security IBM Corporation IBM Corporation

Win the race against time to stay ahead of cybercriminals

How to Choose the Right Security Information and Event Management (SIEM) Solution

Security strategies to stay off the Børsen front page

Security Intelligence

AMPLIFYING SECURITY INTELLIGENCE

IBM QRadar Security Intelligence Platform appliances

Under the Hood of the IBM Threat Protection System

Strengthen security with intelligent identity and access management

The Current State of Cyber Security

Securing the Cloud infrastructure with IBM Dynamic Cloud Security

Addressing Security for Hybrid Cloud

IBM Security QRadar Risk Manager

IBM Security QRadar SIEM Product Overview

Security Intelligence Solutions

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IBM Security QRadar Risk Manager

Introducing IBM s Advanced Threat Protection Platform

IBM Security QRadar Vulnerability Manager

What is Security Intelligence?

Boosting enterprise security with integrated log management

Leverage security intelligence for retail organizations

and Security in the Era of Cloud

Q1 Labs Corporate Overview

Extending security intelligence with big data solutions

QRadar SIEM and Zscaler Nanolog Streaming Service

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

QRadar Security Intelligence Platform Appliances

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

IBM QRadar as a Service

Let s talk about assets in QRadar

The SIEM Evaluator s Guide

IBM Security QRadar QFlow Collector appliances for security intelligence

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

IBM Security Intrusion Prevention Solutions

Protecting against cyber threats and security breaches

IBM Security X-Force Threat Intelligence

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Effectively Using Security Intelligence to Detect Threats and Exceed Compliance

Beyond passwords: Protect the mobile enterprise with smarter security solutions

IBM Security. Alle Risiken im Blick und bessere Compliance Kumulierte und intelligente Security Alerts mit QRadar Security Intelligence

Data Security: Fight Insider Threats & Protect Your Sensitive Data

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Safeguarding the cloud with IBM Dynamic Cloud Security

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

Breaking down silos of protection: An integrated approach to managing application security

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Making critical connections: predictive analytics in government

QRadar SIEM 7.2 Flows Overview

Continuous Network Monitoring

QRadar Security Management Appliances

IBM Security re-defines enterprise endpoint protection against advanced malware

Unified Security, ATP and more

How To Create An Insight Analysis For Cyber Security

Extreme Networks Security Analytics G2 Vulnerability Manager

Advanced Threat Protection with Dell SecureWorks Security Services

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Gaining the upper hand in today s cyber security battle

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Log management & SIEM: QRadar Security Intelligence Platform

Detect & Investigate Threats. OVERVIEW

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Making Critical Connections: Predictive Analytics in Government

IBM Advanced Threat Protection Solution

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Risk-based solutions for managing application security

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

Obtaining Enterprise Cybersituational

IBM Security Privileged Identity Manager helps prevent insider threats

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

How To Manage Security On A Networked Computer System

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Discover & Investigate Advanced Threats. OVERVIEW

Preemptive security solutions for healthcare

Stay ahead of insiderthreats with predictive,intelligent security

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

Next Generation Business Performance Management Solution

What s New in Security Analytics Be the Hunter.. Not the Hunted

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Transcription:

IBM SECURITY QRADAR INCIDENT FORENSICS DELIVERING CLARITY TO CYBER SECURITY INVESTIGATIONS Gyenese Péter Channel Sales Leader, CEE IBM Security Systems 12014 IBM Corporation

Harsh realities for many enterprise network CISOs Attackers spend an estimated 243 days on a victim s network before being discovered In 2012, 38% of targets were attacked again once the original incident was remediated. Has our organization been compromised? When was our security breached? How do we identify the attack? What type of attack is it? What resources and assets are at risk? How to avoid becoming a repeat victim? 2

Defending network requires appropriate solutions What are the major risks and vulnerabilities? Are we configured to protect against advanced threats? What security incidents are happening right now? What was the impact to the organization? Vulnerability Pre-Exploit Exploit Post-Exploit Remediation PREDICTION / PREVENTION PHASE Gain visibility over the organization s security posture and identity security gaps Detect deviations from the norm that indicate early warnings of APTs Prioritize vulnerabilities to optimize remediation processes and close critical exposures before exploit REACTION / REMEDIATION PHASE Automatically detect threats with prioritized workflow to quickly analyze impact Gather full situational awareness through advanced security analytics Perform forensic investigation reducing time to find root-cause; use results to drive faster remediation Security Intelligence The actionable information derived from the analysis of security-relevant data available to an organization 3

Embedded intelligence offers automated offense identification Extensive Data Sources Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Users and identities Global threat intelligence Automated Offense Identification Massive data reduction Automated data collection, asset discovery and profiling Automated, real-time, and integrated analytics Activity baselining and anomaly detection Out-of-the box rules and templates Embedded Intelligence Prioritized Incidents Suspected Incidents 4

Today s threats require greater clarity to detect & resolve Network Security Detect unauthorized activities targeting critical assets, uncover the motivations and develop an understanding of the full scope of the risk Insider Threat Analysis Find the perpetrator, identify collaborators, pinpoint the systems compromised and document any data losses Fraud and Abuse Uncover sophisticated schemes involving multiple seemingly disparate interactions aiming to perform fraudulent or abusive transactions Evidence Gathering Compile evidence against malicious entities breaching secure systems and deleting or stealing sensitive data 5

Customer Challenges in Employing Network Forensics Critical gaps exist in available forensics and threat mitigation offerings to recover from an incident Difficulty identifying true incidents hidden in mounds of data Dependency on specialized skills to conduct detailed investigations Disparate tools with limited intelligence inhibit productivity and efficacy in analysing incidents Security teams must reduce the time to detect and respond to threats. Confusion and wasted time aid the attacker. 6

Next generation network forensics: know what happened, fast Our Security Intelligence platform delivers powerful capabilities IT Security Operations Teams Introducing QRadar Incident Forensics: Leveraging the strengths of QRadar to optimize the process of investigating and gathering evidence on advanced attacks and data breaches Tells you exactly when an incident occurred Merges powerful forensics capability with simplicity Integrated with QRadar to discover true offenses and prioritize forensics investigations Enables search-driven data exploration to return detailed, multi-level results in seconds Full packet capture for complete session reconstruction Unified view of all flow, user, event, and forensic information Retrace activity in chronological order Delivers intelligence to guide forensics investigations Visually construct threat actor relationships Builds detailed user and application profiles across multiple IDs 7

How network forensics is done Full Packet Capture Capture packets off the network Include other, related structured and unstructured content stored within the network Retrieval & Session Reconstruction For a selected security incident, retrieve all the packets (time bounded) Re-assemble into searchable documents including full payload displayed in original form Forensics Activity Navigate to uncover knowledge of threats Switch search criteria to see hidden relationships 8

Extend clarity around incidents with in-depth forensics data Suspected Incidents Prioritized Incidents Directed Forensics Investigations Rapidly reduce time to resolution through intuitive forensic workflow Use intuition more than technical training Determine root cause and prevent recurrences Embedded Intelligence 9

How Network Forensics is Done - with QRadar Incident Forensics Extension of QRadar Built off high accuracy QRadar offense discovery 1 Security Intelligence Platform Improve efficiency of investigations 2 3 4 5 Expands Data Available for Incident Forensics Has Scalable Search Infrastructure Builds Intelligence Enables Intuitive Investigative Analysis Data-in-motion and data-at-rest Structured and unstructured data Index all the data Correlate all the data Prioritize search performance Automated identification and assembly of identities Automated distilling of suspicious content/activity Content categorization informs data exclusion Reveals linkages between entities Simple search engine interface Visual analytics Retrace activity in chronological order with reconstructed content 10

From NetFlow to QFlow to QRadar Incident Forensics Internet/ intranet Netflow: packet oriented, identifies unidirectional sequences sharing source and destination IPs, ports, and type of service packet Internet/ intranet QFlow: packet oriented, identifies bi-directional sequences aggregated into sessions, also identifies applications by capturing the beginning of a flow. Internet/ intranet Competitive solutions: session oriented, some only capture a subset of each flow and index only the metadata not the payload. Internet/ intranet QRadar Incident Forensics: session oriented, captures all packets in a flow indexing the metadata and payload to enable fast search driven data exploration 11

Changing the dynamics of network forensics activities QRadar Incident Forensics helps simplify the task, accelerate results, and ensure better results Before Performed by technically trained forensics researchers Hunt for anomalous activities within specified time frame Identify threat actor and remediate malicious conditions After Initiated using intuition with Internet search engine simplicity Follow security analytics or threat intelligence feed directives Retrace step-by-step movements for complete clarity Benefit Address skills gap for forensics analysis Win race against time finding true threats and halting data loss Determine root cause and prevent breach recurrences 12

IBM Security QRadar Incident Forensics deployment model Security Intelligence Platform QRadar Security Intelligence Console Seamlessly integrated, single UI Includes new Forensics dashboard tab Supports incident investigation workflow QRadar Packet Capture Appliances Performs Full Packet Capture Optimized appliance solution Scalable storage QRadar Incident Forensics Module Hardware, software, virtual appliance Supports standard PCAP format Retrieves PCAPs for an incident and reconstructs sessions for forensics 13

Security Intelligence architecture provides continuity with total context IBM QRadar Security Intelligence Platform Log Management NextGen SIEM Network Activity Monitoring Risk Management Vulnerability Management Network Forensics Future Northbound APIs Security Intelligence Operating System Real Time and Analyst-driven Work Flow Real Time Correlation / Automated Security Analytics Big Data Store / Warehouse / Archival Southbound APIs Real Time Structured Security Data Unstructured Operational / Security Data 14

Clarity throughout the lifecycle of a security incident Proactive formulation of best practices Use investigative clarity to develop new threat detection methods Shorten time to remediate an incident Find the source, block communications, patch vulnerabilities Enhance capacity to identify breaches Detect new attack techniques or previously compromised systems Mitigate risk of becoming repeat victim Assess full scope of impact or breach to close gaps in the security posture Detect deviations from compliance protocols Perform post-mortem analysis on underlying conditions 15

Learn more about IBM Security Intelligence and Analytics Visit the IBM Security Intelligence Website Watch the videos on the IBM Security Intelligence YouTube Channel Read new blog posts SecurityIntelligence.com Follow us on Twitter @ibmsecurity 16

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, 17 or service names may be trademarks or service marks of others.

Better clarity into network activity From session data analysis yielding basic application insights To full visualization of extended relationships and embedded content 18

Better clarity into user identities From standard asset identity information To rich visualizations of digital impressions showing extended relationships Chat Social EMAIL Web VoIP Network 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information