IBM Security Intelligence
5 likes4,790 views
1) Security intelligence refers to the collection, normalization, and analysis of data from users, applications, and infrastructure across an enterprise to gain comprehensive insight into security risks and threats. 2) IBM Security Intelligence solutions provide security capabilities across the full timeline from protection to detection to remediation. 3) The IBM QRadar security intelligence platform collects both structured and unstructured data from multiple sources and performs automated analytics to identify and prioritize security and operational incidents.
IBM Security Intelligence
- 1. IBM Security IBM Security Intelligence © 2013 IBM Corporation© 2014 IBM Corporation Speaker: Alfonso Ponticelli Security QRadar Technical Sales, Italy
- 2. IBM Security Systems What is Security Intelligence? Security Intelligence --noun 1. the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise Security Intelligence © 2014 IBM Corporation2 IT security and risk posture of an enterprise Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and detection through remediation
- 3. IBM Security Systems Solutions for the full Security Intelligence timeline IBM Security Intelligence © 2014 IBM Corporation3
- 4. IBM Security Systems Built upon common foundation of QRadar SIOS Reporting Engine Workflow Rules Engine Real-Time Viewer Security Intelligence Solutions IBM QRadar SIEM Platform QRadar SIEM QRadar Risk Manager QRadar QFlow and VFlow QRadar Vulnerability Manager © 2014 IBM Corporation4 Analytics Engine Warehouse Archival Security Intelligence Operating System (SIOS) Normalization
- 5. IBM Security Systems Servers and mainframes Network and virtual activity Data activity Security devices Structured & Unstructured Data …Suspected Incidents • Automated data collection, asset discovery and profiling • Automated, real-time, and integrated analytics Embedded Intelligence Highly Prioritized Security and Operational Incidents Highly Prioritized Security and Operational Incidents Automated Dynamic Threat Environment Requires Security Intelligence IBM QRadar SIEM Platform © 2014 IBM Corporation5 Application activity Configuration information Vulnerabilities and threats Users and identities Global threat intelligence • Massive data reduction • Activity baselining and anomaly detection • Out-of-the box rules and templates Automated Offense Identification Visibility across organizational security systems to improve response times and incorporate adaptability/flexibility required for early detection of threats or risky behaviors
- 6. IBM Security Systems And continually adding context for increased accuracy Security Intelligence Feeds Internet ThreatsGeo Location Vulnerabilities IBM QRadar SIEM Platform © 2014 IBM Corporation6
- 7. IBM Security Systems Using fully integrated architecture and interface IBM QRadar Platform © 2014 IBM Corporation7
- 8. IBM Security Systems Continued journey towards Total Security Intelligence IBM QRadar Security Intelligence © 2014 IBM Corporation8
- 9. IBM Security Systems Network traffic doesn’t lie. Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data) • Deep packet inspection for Layer 7 flow data • Pivoting, drill-down and data mining on flow sources for advanced detection and forensics Helps detect anomalies that might otherwise get missed Enables visibility into attacker communications Differentiated by network flow analytics IBM QRadar Platform © 2014 IBM Corporation9 Enables visibility into attacker communications
- 10. IBM Security Systems QRadar Risk Manager: Visualize network, configurations and risks Depicts network topology views and helps visualize current and alternative network traffic patterns Identifies active attack paths and assets at risk of exploit IBM QRadar Risk Manager © 2014 IBM Corporation10 Collects network device configuration data to assess vulnerabilities and facilitate analysis and reportingDiscovers firewall configuration errors and improves performance by eliminating ineffective rules Analyzes policy compliance for network traffic, topology and vulnerability exposures
- 11. IBM Security Systems Investigating offense attack path Clicking ‘attack path’ button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure IBM QRadar Risk Manager © 2014 IBM Corporation11 understand the exposure Allows “virtual patch” to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path—before patching or other configuration changes can typically be implemented
- 12. IBM Security Systems Strengthened by integrated vulnerability insights IBM QRadar Vulnerability Manager © 2014 IBM Corporation12
- 13. IBM Security Systems QVM enables customers to interpret ‘sea’ of vulnerabilities IBM QRadar Vulnerability Manager © 2014 IBM Corporation13
- 14. IBM Security Systems QRadar Security Intelligence easily grows with your needs Add QRadar Risk Manager • Enables pre-exploit configuration investigations • Simplifies security policy reviews for compliance tests Implement QRadar Vulnerability Manager • Extends pre-exploit analysis - adds integrated, vulnerability insights • Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions • Helps identify and measure exposures to external threats IBM QRadar Security Intelligence © 2014 IBM Corporation14 Inject IBM X-Force Threat Research Intelligence - Provides intelligence feed to QRadar - Includes vulnerabilities, IP reputations, malware reports • Simplifies security policy reviews for compliance tests • Provides network topology depictions and permits attack simulations QRadar SIEM • Additional security telemetry data • Rules-based correlation analysis engine • Data overload reduction ‘magic’ compressing millions or even billions of daily raw events to manageable list of issues
- 15. IBM Security Systems QRadar Incident Forensics Module Overview Seamlessly integrated with Security Intelligence incident detection and workflow processes Full packet capture for complete insight and incident forensics IBM QRadar Incident Forensics © 2014 IBM Corporation15 Deep packet inspection, analytics and searching enabling powerful and intuitive forensics Providing unified view of all flow, user, event, and forensic information
- 16. IBM Security Systems Offering Overview Family Product Appliance Virtual Appliance Software SIEM All-in-One 2100 Light3 / 2100 / 3105 / 3124 3190 21XX Light3 / 21XX / 31XX Console 3105 / 3124 3190 31XX Event Processor 1605 / 1624 1690 16XX Flow Processor 1705 / 1724 1790 17XX Como Event/Flow Processor 1805 18XX Event Collector5 1501 1590 15XX2 QFlow Collector 1201 / 1202 / 1301 / 1310 VFlow / 1290 12XX © 2014 IBM Corporation16 QFlow Collector 1201 / 1202 / 1301 / 1310 VFlow / 1290 12XX Log Manager All-in-1 2100 / 3105 / 3124 3190 21XX / 31XX1 Console 3105 / 3124 3190 31XX1 Event Processor 1605 / 1624 1690 16XX1 QNAD QNAD QNAD Risk Manager QRM QRM / QRM Light4 QRM VM3 / QRM Light VM4 QRM SW3 / QRM Light SW4 Vulnerability Manager QVM QVM3 QVM VM3 QVM SW3