QRadar SIEM and Zscaler Nanolog Streaming Service February 2014 1
QRadar SIEM: Security Intelligence Platform QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets from a wide range of advanced threats, while meeting critical compliance mandates. Key Capabilities: Sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to identify & prioritize threats Network flow capture and analysis for deep application insight Workflow management to fully track threats and ensure resolution 2
The Security Intelligence Life Cycle IBM Security Intelligence 3
Security Intelligence: Context and Correlation Drive Deep Insight Security Devices Servers & Mainframes Network & Virtual Activity Database Activity Application Activity Configuration Info Vulnerability & Threat Users & Identities Event Correlation Logs IP Reputation Flows Geo Location Activity Baselining & Anomaly Detection User Activity Database Activity Application Activity Network Activity True Offense Offense Identification Credibility Severity Relevance Suspected Incidents Extensive Data Sources Deep + Intelligence = Exceptionally Accurate and Actionable Insight 4
QRadar SIEM: Benefits Reduce the risk and severity of security breaches Remediate security incidents quickly and thoroughly Ensure regulatory and internal policy compliance Reduce manual effort of security intelligence operations 5
QRadar SIEM: Key Advantages Real-time activity correlation based on wide set of contextual data Flow capture that delivers Layer 7 content visibility and supports deep forensic examination Intelligent incident analysis that reduces false positives and manual effort Unique combination of fast free-text search and analysis of data that has a common taxonomy 6
IBM/Q1 Labs in SIEM Leadership Quadrant for Fifth Straight Year Magic Quadrant for Security Information and Event Management, Gartner, 7 May 2013 Gartner Magic Quadrant for SIEM: IBM/Q1 Labs SIEM is rated #1 for on Ability to Execute (the Y-axis) and beat McAfee/Nitro, RSA, LogRhythm, and Splunk on Completeness of Vision (the X-axis) Ability to execute is an assessment of overall viability, product service, customer experience, market responsiveness, product track record, sales execution, operations, and marketing execution. Completeness of Vision is a rating of product strategy, innovation, market understanding, geographic strategy, and other factors What Gartner is Saying about IBM/Q1 Labs: QRadar is a good fit for midsize and large enterprises that need general SIEM capabilities and also for use cases that require behavior analysis and NetFlow analysis. Behavioral analysis is recognized by Gartner as essential in the detection of advanced threats. Customer feedback indicates that the technology is relatively straightforward to deploy and maintain across a wide range of deployment scales. A distinguishing characteristic of the technology is the collection and processing of NetFlow data, deep packet inspection (DPI) and behavior analysis for all supported event sources. 7
QRadar SIEM: Product Tour of Integrated Console Single browser-based UI Role-based access to information & functions Customizable dashboards (work spaces) per user Real-time & historical visibility and reporting Advanced data mining and drill down Easy to use rules engine with out-of-the-box security intelligence 8
QRadar & Zscaler Nanolog Streaming Service Events coming in 9
QRadar & Zscaler Nanolog Streaming Service Live Streaming 10
QRadar SIEM: Product Tour - the Intelligence of Offense Management QRadar SIEM reduces millions of events and flow records to the top few threats and incidents called Offenses Through correlation with contextual data (events, flows, vulnerabilities, threat intelligence feeds) Rules engine creates an offense as a response to a sequence of events, behavior, Incident Response Teams and Security Administrators rely on Offenses to determine what they need to remediate or investigate. 11
QRadar SIEM: Product Tour - the Intelligence of Offense Management There is a dashboard widget for the Top Offenses Offense tab shows offenses currently open, with drill down to details 12
QRadar SIEM: Product Tour of Intelligent Offense Scoring QRadar judges magnitude of offenses: Credibility: A false positive or true positive? Severity: Alarm level contrasted with target vulnerability Relevance: Priority according to asset or network value Priorities can change over time based on situational awareness 13
QRadar SIEM: Product Tour of Offense Tab 14
QRadar SIEM: Offense triggers as a result of Zscaler events What was the breach? Who was responsible? Was it successful? Where do I find them? How many targets involved? How valuable are the targets to the business? Yes 8 Are any of them vulnerable? 15
Where is all the evidence? 16
QRadar SIEM: Use Cases QRadar SIEM excels at the most challenging use cases: Complex threat detection Malicious activity identification User activity monitoring Compliance monitoring Fraud detection and data loss prevention 17
QRadar SIEM & Zscaler Use Cases 1. Potential botnet activity detected QRadar running at an international financial services organization receives 3 Zscaler NSS events indicating possible botnet command and control traffic, which generates an offense. The magnitude of the offense is increased to 10, when QRadar flow traffic confirms that multiple clients have regularly connected to the same set of external IP addresses over a period of 2 days. 2. Phishing threat detected Zscaler NSS sends 3 events to QRadar warning that a website containing potential phishing content has been contacted by 3 executives. QRadar generates a high magnitude offense when these events are correlated with XForce data that identifies that site as a phishing site. The SOC analyst changes the corporate Zscaler policy to block that phishing site in the future 18
QRadar SIEM & Zscaler Use Cases 3. Social network site allowed for privileged mobile users The severity of an event cautioning the use of a social network site is lowered when QRadar compares the user who generated the event with a reference set of mobile users who are permitted to use the site. A false positive is avoided. 19
QRadar SIEM: Intelligent, Integrated and Automated 1. Intelligence delivered through Offense Management and identification of critical anomalies 2. Integrated with 100 s of data sources, such as Zscaler Nanolog Streaming Service 3. Automated via 1000 s of rules and reports out of the box, delivering rapid time to value and operational efficiency QRadar SIEM delivers full visibility and actionable insight for Total Security Intelligence. 20