Attain Clarity of your Security Posture with New Qradar Incident Forensics

© 2014 IBM Corporation

IBM Security Systems

1 © 2014 IBM Corporation

Attain Clarity of your Security Posture with New QRadar Incident Forensics

May 14, 2014



2

Speakers & Agenda

Vijay DheapProduct ManagerIBM Security Systems

• Exciting addition to Security Intelligence platform

• Better visibility with solution consolidation

• Why’s and how’s for network forensic investigations

• QRadar Incident Forensics and QRadar Packet Capture


Why are we here?



4

IBM QRadar Security Intelligence PlatformProviding actionable intelligence

IBM QRadarSecurity Intelligence

Platform

AUTOMATEDDriving simplicity and

accelerating time-to-value

INTEGRATEDUnified architecture delivered in a single console

INTELLIGENTCorrelation, analysis and massive data reduction



5

Consolidation and integration help reduce costs and increase visibility

IBM QRadarSecurity Intelligence

Platform

Packets

Vulnerabilities

Configurations

Flows

Events

LogsBig data consolidation of

all available security information

Traditional SIEM6 products from 6 vendors are needed

IBM SecurityIntelligence and Analytics



6

SecurityIntelligence

.NEXTNetworkForensics

Incidentforensics

and packet captures

VulnerabilityManagement

Real-time vulnerability

scanning and vulnerability

prioritizations

RiskManagement

Configurationanalysis, policymonitoring, andrisk assessment

LogManagement

Identitymanagement,complete log management,

and compliancereporting

SIEMSIM and

VA integration

Technology additions strengthen QRadar Security Intelligence C

lient

Nee

ds

Flow Visualization

and NBADAnomaly detection

and threat resolution

Plat

form

evo

lutio

n ba

sed

on c

lient

nee

ds

2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2011 2012 – 2013 2014 Future



7

Single web-based console provides superior visibility

LogManagement

Security Intelligence

Network Activity Monitoring

RiskManagement

Vulnerability Management

Network Forensics



8

Incident Forensics

®

Reduces incident investigation periods from days or hours to minutes– Employs Internet search engine technology

closing security team skill gaps

Compiles evidence against malicious entities breaching secure systems and deleting or stealing sensitive data– Creates rich ‘digital impression’ visualizations

of related content

Helps determine root cause of successful breaches helping prevent recurrences– Adds full packet captures to complement

SIEM security data collection and analytics

“Research findings indicate enterprise organizations want increased awareness of advanced threats without the need for additional resources and forensics expertise.”

Source: Jon Oltsik, Enterprise Systems Group (ESG)

Wins the

race against

time

*NEW* IBM Security QRadar Incident ForensicsIntuitive investigation of security incidents


IBM Security Incident Forensics Deepdive



10

63% of victims made aware of

their breaches by an external

organization

In 2013, it took organizations 32 days on average to resolve a cyber-attack

In 2012, 38% of targets were attacked again once the original incident was remediated.

Harsh realities for many enterprise network CISOs

Attackers spend an estimated 243 days on a victim’s network before being discovered Annual cost of

cyber-crime in the U.S. now stands at $11.56 million per organization

Has our organization been compromised? When was

our security breached?

How to avoid becoming a repeat victim?

What resources and assets are at risk?

What type of attack is it?

How do we identify the attack?



11

Struggling to manage resources against today’s new challenges

Escalating Attacks Increasing Complexity Resource Constraints

• Increasingly sophisticated attack methods

• Disappearing perimeters

• Accelerating security breaches

• Constantly changing infrastructure

• Too many products from multiple vendors; costly to configure and manage

• Inadequate and ineffective tools

• Under-staffed security teams

• Data overload with limited manpower and skills to find true threats

• Managing and monitoring increasing compliance demands

Spear Phishing

Persistence

Backdoors

Designer Malware

Sorry, no applicants found

ITSecurityJobs.com



12

What was the impactto the organization?

What security incidents are happening right now?

Are we configuredto protect against advanced threats?

What are the major risks and vulnerabilities?

Defending network requires appropriate solutions

Security IntelligenceThe actionable information derived from the analysisof security-relevant data available to an organization

• Gain visibility over the organization’s security posture and identity security gaps

• Detect deviations from the norm that indicate early warnings of APTs

• Prioritize vulnerabilities to optimize remediation processes and close critical exposures before exploit

• Automatically detect threats with prioritized workflow to quickly analyze impact

• Gather full situational awareness through advanced security analytics

• Perform forensic investigation reducing time to find root-cause; use results to drive faster remediation

Exploit Remediation

REACTION / REMEDIATION PHASE

Post-ExploitVulnerability Pre-Exploit

PREDICTION / PREVENTION PHASE



13

SuspectedIncidents

Prioritized Incidents

Massive data gathering allows embedded intelligence to automatically detect anomalous conditions

Servers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

Extensive Data Sources

AutomatedOffenseIdentification

• Massive data reduction

• Automated data collection, asset discovery and profiling

• Automated, real-time, and integrated analytics

• Activity baselining and anomaly detection

• Out-of-the box rules and templates

Embedded Intelligence



14

Yet today’s threats require greater clarity to resolve

Detect unauthorized activities targeting critical assets, uncover the motivations and develop an understanding of the full scope of the risk

Network Security

Find the perpetrator, identify collaborators, pinpoint the systems compromised and document any data losses

Insider Threat Analysis

Uncover sophisticated money laundering schemes involving multiple seemingly disparate interactions

Fraud and Abuse

Compile evidence against malicious entities breaching secure systems and deleting or stealing sensitive data

Evidence Gathering



15

Traditional customer challenges employing network forensics

Critical gaps exist in available forensics and threat mitigation offerings to recover from an incident

Dependency on specialized skills to conduct detailed investigations

Difficulty identifying true incidents hidden in mounds of data

Disparate tools with limited intelligence inhibit productivity and efficacy in analysing incidents ?

Security teams must reduce the time to detect and respond to threats. Confusion and wasted time aid the attacker.



16

How network forensics is done

Full Packet Capture

• Capture packets off the network• Include other, related structured and

unstructured content stored within the network

Retrieval & Session

Reconstruction

• For a selected security incident, retrieve all the packets (time bounded)

• Re-assemble into searchable documents including full payload displayed in original form

Forensics Activity

• Navigate to uncover knowledge of threats

• Switch search criteria to see hidden relationships



17

SuspectedIncidents

Prioritized Incidents

Extend clarity around incidents with in-depth forensics data

Directed Forensics Investigations• Rapidly reduce time to resolution

through intuitive forensic workflow

• Use intuition more than technical training

• Determine root cause and prevent recurrences

Embedded Intelligence



18

How network forensics is done - with QRadar Incident Forensics

Enables Intuitive Investigative Analysis

• Simple search engine interface• Visual analytics• Retrace activity in chronological order with

reconstructed content

5

Builds Intelligence • Automated identification and assembly of identities• Automated distilling of suspicious content/activity • Content categorization informs data exclusion• Reveals linkages between entities

4

Has Scalable Search Infrastructure

• Index all the data• Correlate all the data• Prioritize search performance

3

Expands Data Available for Incident Forensics

• Data-in-motion and data-at-rest• Structured and unstructured data 2

Extension of QRadar Security Intelligence Platform1 • Built off high accuracy QRadar offense discovery

• Improve efficiency of investigations

Leverage strengths of QRadar to optimize investigations and gather evidence for detected incidents



19

• Performed by technically trained forensics researchers• Hunt for anomalous activities within specified time frame• Identify threat actor and remediate malicious conditions

• Initiated using intuition with Internet search engine simplicity• Follow security analytics or threat intelligence feed

directives• Retrace step-by-step movements for complete clarity

Changing the dynamics of network forensics activities

QRadar Incident Forensics helps simplify the task, accelerate results, and ensure better results

Before

After

• Address skills gap for forensics analysis• Win race against time finding true threats and halting data

loss• Determine root cause and prevent breach recurrencesBenefit



20

Security Intelligence Platform

IBM Security QRadar Incident Forensics deployment model

QRadar Security Intelligence Console Seamlessly integrated, single UI Includes new ‘Forensics’ dashboard tab Supports incident investigation workflow QRadar

Incident Forensics Module Hardware, software, virtual appliance Supports standard PCAP format Retrieves PCAPs for an incident and

reconstructs sessions for forensicsQRadar Packet CaptureAppliances Performs Full Packet Capture Optimized appliance solution Scalable storage



21

Obtain clarity throughout the lifecycle of a security incident

Proactive formulation of best practicesUse investigative clarity to develop new threat detection methods

Enhance capacity to identify breachesDetect new attack techniques or previously compromised systems

Mitigate risk of becoming repeat victim Assess full scope of impact or breach to close gaps in the security posture

Shorten time to remediate an incidentFind the source, block communications, patch vulnerabilities

Detect deviations from compliance protocolsPerform post-mortem analysis on underlying conditions



22

Feedback Received from Our Product Preview & Beta Program

“As we assess various solutions, QRadar Incident Forensics appears to make Forensics ‘Idiot-proof’”

~ Mid-size Bank

“I don’t have data scientists on staff nor can I find them…I need a forensics solution that my security analysts can use”

~ An Institute of Higher Education

“My IT security team spends a majority of their time in QRadar console, now I don’t have to have them use a disparate tool for forensics, love the integration”

~ An Energy & Utilities Company

“QRadar Incident forensics coupled with the forthcoming dedicated packet capture capability has proven it can deliver important benefits for our communications security monitoring”

~ Beta Participant

"The simple user interface masks the power that is available to the security analyst, it was as basic as typing in a search string ”

~ Beta Participant



23

Learn more about IBM Security Intelligence and Analytics

Visit theIBM Security Intelligence Website

Watch the videos on theIBM Security Intelligence YouTube Channel

Read new blog postsSecurityIntelligence.com

Follow us on Twitter@ibmsecurity

http://www-03.ibm.com/software/products/us/en/subcategory/SWI60

https://www.youtube.com/playlist?list=PL5VchNLXhuu8EM3-EcUmdN68m6ofEG3vt

http://securityintelligence.com/

http://www.twitter.com/ibmsecurity



24

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security



25

IBM Security QRadar V7.2 MR2 Highlighted Features

Capability New Feature Customer Value

QRadar SIEM & QRadar Log Manager

QRadar Data Node New software/appliance helps scale Event and Flow Processor performance by adding commoditized hardware.

Improves scaling performance without purchasing additional processors.

Performance improvements

Up to 2X improvement in search performance when utilizing indexes, such as were sourceip = 10.10.10.10

Faster searches

Multilingual Support Includes: English, Simplified & Traditional Chinese, Japanese, Korean, French, German, Italian, Spanish, Russian, Portuguese (Brazil).

Ease of use for non-English speaking users

QRadar Vulnerability manager

User configurable scan polices

Create reusable scan policies defined in terms of ports scans, vulnerability checks, vulnerability tools, and vulnerability tool groups.

Quicker and less invasive scans

Dynamic scanning Support one or more CIDR ranges per scanner, enabling dynamic scanners selection based upon Asset IP

Simplified configuration, fewer scan profiles, distributed on-demand scanning

Remediation times and reporting

Assign default remediation times for vulnerabilities and generate automated email remediation reports to assigned owners

More automated vulnerability management and remediation processes

QRadar Risk Manager

Layer 7/Next Generation firewall support

Import configuration data from next generation firewalls (e.g. Palo Alto)

Collect, audit and analyse rich firewall configuration data

Net net summary Helps users easily see the end-to-end connectivity between two selected subnets

Quicker analysis of network connectivity issues

Improved topology query performance

Faster performance of topology queries Better visibility and faster compliance reporting



26

From NetFlow to QFlow to… …QRadar Incident Forensics

Internet/ intranet

packet

Netflow: packet oriented, identifies unidirectional sequences sharing source and destination IPs, ports, and type of service

Internet/ intranet

QFlow: packet oriented, identifies bi-directional sequences aggregated into sessions, also identifies applications by capturing the beginning of a flow.

Internet/ intranet

Competitive solutions: session oriented, some only capture a subset of each flow and index only the metadata—not the payload.

Internet/ intranet

QRadar Incident Forensics: session oriented, captures all packets in a flow indexing the metadata and payload to enable fast search driven data exploration


IBM Security

27

IBM Security QRadar SIEM

Delivers actionable insight focusing security teams on high probability incidents– Employs rules-based correlation of events,

flows, assets, topologies, and vulnerabilities

Detects and tracks malicious activity over extended time periods, helping uncover advanced threats often missed by other solutions– Consolidates ‘big data’ security incidents within

purpose-built, federated database repository

Provides anomaly detection to complement existing perimeter defenses– Calculates identity and application baseline

profiles to assess abnormal conditions

Web-based command console for Security Intelligence

“The average time to implement QRadar was 5.5 months versus 15.2 months (nearly 3X) for other market-leading competitor solutions.”

Source: Ponemon Institute LLC primary research, “IBM QRadar Evidence of Value”

Daily volume of events, flows, incidents

potential offenses to investigate20 – 25automatically analyzed to find

Optimized threat analysis

2,000,000,000

Attain Clarity of your Security Posture with New Qradar Incident Forensics

Technology

ibm qradarsecurity

improper access

embedded intelligence

packet oriented

security incidents

session oriented

suspectedincidentsprioritized

advanced threats