Introduction to QRadar
- 1. IBM Security QRadar SIEM Foundations
- 2. Keep learning: IBM Security Learning Academy for Tech Sellers Visit https://www.securitylearningacademy.com and select “Technical Sales Education” Over 24 self-paced learning activities and online courses with new offerings added regularly Roadmaps by SOAR & IRP and productsegment Go from beginner to advanced at your own pace
- 3. 3 IBM Security Course Outline • Introduction to IBM QRadar • Qradar Data Flow Architecture Overview • Deployment, Licensing and Appliance Types • Navigate the user interface • Dashboard, Data Sources, Building a Search, Offenses • Reports, Rules and Managing Assets & Reference Data Collections • DSM Editor • Tuning Overview • Sizing/Scope Overview
- 5. 5 IBM Security Why do we need Security Intelligence and a security immune system? COMPLIANCE HUMAN ERROR SKILLS GAP ADVANCED ATTACKS INNOVATION
- 6. 6 IBM Security Attackers break through conventional safeguards every day $7M average cost of a U.S. data breach average time to identify data breach 201days 2014 1+ Billion records 2015 Unprecedented Impact 2016 4+ Billion records
- 7. 7 IBM Security How do I get started when all I see is chaos?
- 8. 8 IBM Security An integrated and intelligent security immune system Criminal detection Fraud protection Workload protection Cloud access security broker Access management Entitlements and roles Privileged identity management Identity management Data access control Application security management Application scanning Data monitoring Device management Transaction protection Content security Malware protection Endpoint detection and response Endpoint patching and management Virtual patching Firewalls Network forensics and threat management Sandboxing Network visibility and segmentation Indicators of compromise IP reputation Threat sharing Vulnerability management Incident response User behavior analysis Threat hunting and investigation Cognitive security Threat and anomaly detection
- 9. 9 IBM Security SECURITY TRANSFORMATION SERVICES Management consulting | Systems integration | Managed security MaaS360 Trusteer Mobile Trusteer Rapport Trusteer Pinpoint INFORMATION RISK AND PROTECTION AppScan Guardium Cloud Security Privileged Identity Manager Identity Governance and Access Cloud Identity Service Key Manager zSecure IBM security immune system portfolio X-Force Exchange QRadar Incident Forensics BigFix QRadar Network Security (XGS) App Exchange SECURITY OPERATIONS AND RESPONSE QRadar Vulnerability / Risk Manager Resilient Incident Response QRadar User Behavior Analytics i2 Enterprise Insight Analysis QRadar Advisor with Watson QRadar SIEM
- 10. 10 IBM Security The QRadar Ecosystem – Intelligent Detection • Predict and prioritize security weaknesses ̶ Gather threat intelligence information ̶ Manage vulnerabilities and risks ̶ Augment vulnerability scan data with context for optimized prioritization ̶ Manage device configurations (firewalls, switches, routers, IPS/IDS) • Detect deviations to identify malicious activity ̶ Establish baseline behaviors ̶ Monitor and investigate anomalies ̶ Monitor network flows • React in real time to exploits ̶ Correlate logs, events, network flows, identities, assets, vulnerabilities, and configurations, and add context ̶ Use automated and cognitive solutions to make data actionable by existing staff
- 11. 11 IBM Security What is Security Intelligence? Security Intelligence --noun The real-time collection, normalization, and analytics of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise
- 12. 12 IBM Security Ask the right questions – The exploit timeline What was the impact to the organization? What security incidents are happening right now? Are we configured to protect against advanced threats? What are the major risks and vulnerabilities? • Gain visibility over the organization’s security posture and identify security gaps • Detect deviations from the norm that indicate early warnings of APTs • Prioritize vulnerabilities to optimize remediation processes and close critical exposures before exploit • Automatically detect threats with prioritized workflow to quickly analyze impact • Gather full situational awareness through advanced security analytics • Perform forensic investigation, reducing time to find the root cause; use results to drive faster remediation Vulnerability Manager Risk Manager SIEM Incident Forensics Exploit Remediation REACTION / REMEDIATION PHASE Post-Exploit Vulnerability Pre-Exploit PREDICTION / PREVENTION PHASE
- 13. 13 IBM Security • Contains an embedded, well proven, scalable, analyst recognized vulnerability detection engine that detects more than 70,000 vulnerabilities • Integrates into the QRadar ecosystem • Is present on all QRadar event and flow collector and processor appliances (QRadar 7.2 and up) as well as QRadar data nodes (QRadar 7.2.8 and up) • Integrates with endpoint management (IBM BigFix), web application security (IBM AppScan), database security (IBM Guardium), and network management (IBM Security SiteProtector) • Leverages QRadar Risk Manager to report which vulnerabilities are blocked by your IPS and FW • Uses QFlow report if a vulnerable application is active • Presents a prioritized list of vulnerabilities you should deal with as soon as possible ® Scan, assess, and remediate vulnerabilities IBM QRadar Vulnerability Manager
- 14. 14 IBM Security • Network topology model based on security device configurations enables visualization of actual and potential network traffic patterns • Policy engine correlates network topology, asset vulnerabilities and configuration, and actual network traffic to quantify and prioritize risk, enabling risk- prioritized remediation and compliance checking, alerting, and reporting • Centralizes network security device configuration data and discovers configuration errors; monitors firewall rule activity • Models threat propagation and simulates network topology changes Scan, assess, and remediate risks Asset risk quantification Remediation prioritization Network topology Policy and compliance monitoring Threat simulations IBM QRadar Risk Manager
- 15. 15 IBM Security IBM QRadar SIEM Web-based command console for Security Intelligence • Delivers actionable insight, focusing security teams on high-probability incidents Employs rules-based correlation of events, flows, assets, topologies, and vulnerabilities • Detects and tracks malicious activity over extended time periods, helping uncover advanced threats often missed by other solutions Consolidates “big data” security incidents within purpose-built, federated database repository • Provides anomaly detection to complement existing perimeter defenses Calculates identity and application baseline profiles to assess abnormal conditions • Provides deep visibility into network, user, and application activity • Provides reliable, tamper-proof log storage for forensic investigations and evidentiary use © COPYRIGHT IBM CORPORATION 2017 Potential offenses to investigate ~25 Daily volume of events and flows automatically analyzed to find 2,000,000,000 Optimized threat analysis Dedicated SOC team Global enterprise 15
- 16. 16 IBM Security QRadar embedded intelligence offers automated offense identification Suspected incidents Embedded intelligence Servers and mainframes Servers and mainframes Data activity Data activity Network and virtual activity Network and virtual activity Application activity Application activity Configuration information Configuration information Security devices Security devices Users and identities Users and identities Vulnerabilities and threats Vulnerabilities and threats Global threat intelligence Global threat intelligence Correlation • Logs/events • Flows • IP reputation • Geographic location Activity baselining and anomaly detection • User activity • Database activity • Application activity • Network activity Offense identification • Credibility • Severity • Relevance Prioritized incidents Secure archive
- 17. 17 IBM Security QRadar embedded intelligence directs focus for investigations Suspected incidents Prioritized incidents Directed forensics investigations • Reduce time to resolution through intuitive forensic workflow • Use intuition more than technical training • Determine root cause and prevent recurrences Embedded intelligence
- 18. 18 IBM Security Benefits of IBM Security Intelligence approach using QRadar Threat and Anomaly Protection Incident Forensics and Response Compliance Reporting User Behavior Analytics Vulnerability and Risk Management Cognitive Security
- 19. 19 IBM Security An integrated, unified architecture in a single console Configurable dashboards
- 20. 20 IBM Security Identifying suspected attacks and policy violations What was the attack? Is the attack credible? How valuable are the targets to the business? Who was responsible for the attack? Where are they located? What was stolen and where is the evidence? Are any assets vulnerable? How many targeted assets are involved?
- 21. 21 IBM Security Providing functional context To enable security analysts to perform investigations, QRadar SIEM correlates information such as: • Point in time • Offending users • Origins • Targets • Asset information • Vulnerabilities • Known threats • Behavioral analytics • Cognitive analytics 21
- 22. 22 IBM Security Network flow analytics • Provides insight into raw network traffic Attackers can interfere with logging to erase their tracks, but they cannot cut off the network (flow data) • Allows deep packet inspection for Layer 7 flow data Pivoting, drill-down, and data-mining activities on flow sources allow for advanced detection and forensics • Helps to detect anomalies that might otherwise be missed • Helps to detect zero-day attacks that have no signature • Provides visibility into all attacker communications • Uses passive monitoring to build asset profiles and classify hosts • Improves network visibility and helps resolve traffic problems 22
- 23. 23 IBM Security Extensible functional architecture • IBM Security App Exchange provides access to apps from leading security partners • Out-of-the-box integrations for 500+ third-party security products • Open APIs allow for custom integrations and apps • QRadar Sense Analytics allows you to inspect events, flows, users, and more • Speed analysis with visuals, query, and auto-discovery across the platform • Augment your analysts’ knowledge and insights with QRadar Advisor with Watson • IBM X-Force Exchange helps you stay ahead of the latest threats and attacks • Extend investigations to cyber threat analysis with i2 Enterprise Insight Analysis • Powered by the X-Force Research team and 700TB+ of threat data • Share data with a collaborative portal and STIX / TAXII standards Cognitive Analytics Open Ecosystem Deep Threat Intelligence and Analysis
- 24. 24 IBM Security Cognitive Analytics: Revolutionizing how security analysts work • Natural language processing with security that understands, reasons, learns, and interacts Watson determines the specific campaign (Locky), discovers more infected endpoints, and sends results to the incident response team 24
- 25. 25 IBM Security Open Ecosystem and Collaboration • Application extensions to enhance visibility and productivity https://exchange.xforce.ibmcloud.com 25
- 26. 26 IBM Security Deep Threat Intelligence • Crowd-sourced information sharing based on 700+TB of threat intelligence https://exchange.xforce.ibmcloud.com 26
- 27. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU