Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014

SIEM – silver bullet to ITSEC

Data Security

Solutions

Certified IBM

Business Partner for

IBM QRADAR

Security Intelligence

Park Hotel Maritim

28.01.2014

“Data Security Solutions” specializes

Specialization – IT Security

IT Security consulting

(vulnerability assessment

tests, security audit, new

systems integration, HR

training, technical support)

Innovative & selected

software / hardware & hybrid

solutions from leading

technology vendors from

over 10 different countries

Agenda

SIEM – Silver bullet to ITSEC

QRadar Security Intelligence

SIEM Use Cases

Qradar v.7.2 update & integrations

SIEM – heart of your security system

Monitor events in real time.

Display a real-time view of activity.

Aggregate data.

Provide automated incidence response.

Correlate data from multiple sources.

Send alerts and generate reports.

Security information includes log data generated from

numerous sources, including antivirus software,

intrusion-detection systems (IDS), intrusion-prevention

systems (IPS), file systems, firewalls, routers, servers

and switches.

SIEM – SIM & SEM

Security event management (SEM),

which provides real-time monitoring for

security events;

Security information management

(SIM), which provides log management

and reporting for security-related events.

Immediate Problems

The cost and complexity of purchasing and

managing storage and monitoring systems

Difficulty accessing huge amounts of data

Limited ability to make queries against historic

log data

Keeping pace with changing user behavior

outside the control of IT (e.g., mobile computing

and communication devices, and the

pervasiveness of social media)

Loss of data fidelity

Opportunities To Add New Capabilities

Deep, historical analysis of security events over long

periods (years...not days)

Large-scale investigations to detect advanced

persistent threats

More rapid response to compliance and regulatory

inquiries

Establishing benchmarks for employee, contractor,

supplier and partner behavior in regards to data access,

and measuring variations from those benchmarks

Defining and implementing best practices for

information security management and compliance

reporting

Automated filtering of vast log data to isolate

suspicious event patterns meriting manual investigation

Goal of Next-generation SIEM

Log management

Compliance reporting

Real-time monitoring

Incident response

Forensic investigation

Network Servers Databases Homegrown Applications

Log

Silo

???

???

???

??

???

?

???

??

?

? ? ? ? ? ?

? ? ? ? ?

? ? ?

? ? ? ? ? ?

LOGS ? ?

? ? ? ? ? ? ? ? ?

?

Identity Management

IT & Network Operations

Operational Security

Governance & Compliance

Log

Tool

Log Jam

Qradar security intelligence

QRadar Family

• Turnkey log management

• SME to Enterprise

• Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.

• Sophisticated event analytics

• Asset profiling and flow analytics

• Offense management and workflow

• Predictive threat modeling & simulation

• Scalable configuration monitoring and audit

• Advanced threat visualization and impact

analysis

• Network analytics

• Behavior and anomaly detection

• Fully integrated with SIEM

• Layer 7 application monitoring

• Content capture

• Physical and virtual environments

SIEM

Log

Management

Risk

Management

Network

Activity &

Anomaly

Detection

Network and

Application

Visibility

QRadar All In One

QRadar Distributed Deployment

Qradar security intelligence

AppScan and QRadar Integration

Guardium and QRadar Integration

QRadar Risk Manager and SIEM

QRadar vulnerability manager

Other IBM Security Systems

AppScan and Qradar Integration

AppScan® Enterprise offers advanced application

security testing and risk management with a platform

that drives governance, collaboration and security

intelligence throughout the application lifecycle.

Guardium and Qradar Integration

Guardium offers insight into both database activity on

the network, such as data transfer, and also on local

database and privileged user activity.

Qradar Risk Manager and SIEM

QRadar Risk Manager adds many key proactive

security intelligence capabilities designed to help IT

security teams minimize network breaches by reducing

their attack surfaces. Some specific abilities include:

Depicts network topology views; visualizes and assesses risk based on

real-time threat environment, vulnerability posture, and network

configurations

Identifies missing, weak, inefficient and unnecessary firewall rules and

IPS signatures, reducing risk and improving firewall performance

Supports policy compliance for network traffic, topology and vulnerability

exposures

Improves QRadar forensics including determination of offense root cause

and visualization of offense attack paths

Collects firewall, switch, router and IPS/IDS configuration data, which

when combined with discovery of network routes and neighbor information

allows a network topology model to be created.

Qradar Vulnerability Manager

QRadar Vulnerability Manager combines automated

vulnerability scanning with a superior understanding of

device configurations, network topology and traffic patterns

to help security teams enact proactive protection measures

in an optimal fashion.

Key integrations for QRadar Vulnerability Manager

include:

Qradar Risk Manager

IBM Security SiteProtector System

X-Force threat intelligence feed

IBM Endpoint Manager

IBM Security AppScan

IBM InfoSphere Guardium Vulnerability Assesment

SIEM Use Cases WordCloud

SIEM Use Cases Definition SIEM Use Cases Definition

Requirements

Scope

Event Sources

Response

Your Use Case

Build YOUR own use case!

React faster

Improve Efficiency

Automate Compliance

Use Cases

Vulnerability Correlation

Suspicious Access Correlation

Flow and Event Combo Correlation

Botnet Application Identity

VMware Flow Analysis

Unidirectional Flows Detection

Vulnerability Reporting

Data Loss Prevention

Double Correlation

Policy and Insider Threat Intelligence (Social Media Use

Case)

Use Cases

Detecting Threats or Suspicious Changes in Behaviour

Preventative Alerting and Monitoring

Compliance Monitoring

Client-side vulnerability correlation

Excessive Failed Logins to Compliance Servers

Remote Access from Foreign Country Logons

Communication with Known Hostile Networks

Long Durations

Multi-Vector Attack

Device stopped sending Data (Out of Compliance)

Social Media Intelligence

Problem:

Social media is an increasing threat to an organization's policies and network;

company employees are the ones who are most likely to fall victim to social

engineering based threats, and serve as entry points for Advanced Persistent

Threats.

Solution: Social media Monitoring& Correlation in real-time:

Qradar’s real-time monitoring and correlation of hundreds of social media sites, such

as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware

insight and identifies social media-based threats by user and application.

Social Media Intelligence

With Qradar, you can:

Identify all the source,

destination and the actual

corporate credit card number

leaked.

With Qradar, you can:

Identify the user responsible for

the data leak.

Data Loss Prevention

Customer Requirement:

Customer wants to detect when an employee may be stealing customer

contact info in preparation for leaving the company

Solution:

Baseline employee access to CRM

Detect deviations from norm: 1,000 transactions (access to customer

records) vs normal 50 per day

BUT…what if the user is tech savvy or has a geek nephew, and makes

a single SQL query to the back end database?

Profile network traffic between workstations and back-end database or

policy shouldn’t allow direct access to database from workstations

Data Loss Prevention

Potential Data Loss?

Who? What? Where?

Who? An internal user

What? Oracle data

Where? Gmail

Indavertent Wrongdoing

A/V Server

Trying to update the

entire internet

Issue bubbled to the

top of the offense

manager immediately

post-installation

Problem had existed for

months, but was lost in

firewall logs.

A/V clients were badly

out of date.

System Misconfiguration

QRadar reports remote sources scanning internal SQL servers

Firewall admin insists QRadar is incorrect – absolutely no inbound

SQL traffic permitted.

But … months earlier user had requested access to SQL server from

outside campus

Administrator fat-fingered the FW rule and unintentionally allowed

SQL access to & from all hosts

Teleportation

Customer Requirement:

Customer wanted to detect users that logged in from IP addresses in

different locations simultaneously.

Solution:

Create rule to test for 2 or more logins from VPN or AD from different

country within 15 minutes

Can be extended to check for local login within corporate network and

simultaneous remote login

Purell for your VPN

Customer Requirement:

Customer wanted to detect when external systems over the VPN

accesses sensitive servers

Customer was concerned that external system could be infected /

exploited through split tunneling and infect sensistive internal servers

Solution:

Use latest VA scan of user systems

Create BB of OSVDB IDs of concern

Detect when external systems with vulnerabilities access sensitive

servers

Uninvited Guests

Customer Requirement:

Wants to identify new systems attached to network. There are active wall

jacks throughout building

Solution:

Set asset database retention to just beyond DHCP lease time (1-2

days)—user out of office/on vacation, asset expires

New machine attaches, rule alerts

Flows for real-time detection: no other SIEM can do this

Can alert on VA import

In 7.0, can build up MAC list in reference sets (~2 wks), then alert

when new MAC appears on network

Policy Vialation / Resource Misuse

Customer Requirement:

Detect if there are P2P Server located in Local Area Network

Communication to known Bot C&C

Customer Requirement:

Detect if any of internal system is communicating to known Bot

Command and Contrlol

Forensic of Administrative Change

Customer Requirement:

New User account creation with administrative privileges

System registry change, Application Installed/Uninstalled

Password reset

Service started/stopped

Vulnerability Overview

Customer Requirement:

Generate weekly report for Vulnerabilities

Use Cases Summary

Identify the goal for each

event correlation rule (and

use case).

Determine the conditions

for the alert.

Select the relevant data

sources.

Test the rule.

Determine response

strategies, and document

them.

Qradar v. 7.2 update

Enhanced asset and vulnerability functionality

Centralized license management

Multicultural support (languages)

Improved bar and pie charts on the Dashboard tab

Data obfuscation

Identity and Access Management (IAM) integration

Browser support

Java 7 support

1500 + reports

New ―QRadar 2100 Light‖ appliance

QRadar Vulnerability Scaner

Unique VA solution integrated

with Security Intelligence

context/data

Providing unified view of all

vulnerability information

Dramatically improving

actionable information through

rich context

Reducing total cost of ownership

through product consolidation

Log Manager

SIEM Network Activity Monitor

Risk Manager

Vulnerability Manager

New

Solution Highlights

QRadar Vulnerability Manager Integration

New tab in QRadar

Two new deployable components - QVM Console

• Scan definitions, scan scheduling engine, scan results

- QVM Scanner

Third component hosted by IBM

- Hosted Scanner, scans a customers DMZ from the

internet

QRadar 2100 All-In-One Light

This appliance is an all-in-one appliance that provides

the abilities of the QRadar 2100 appliance

Supports 500 Events Per Second (EPS) instead of 1,000

EPS

Includes Built-in Qflow collector for Layer7 analysis

Upgradeable

Q/A

www.dss.lv

[email protected] / [email protected]

+371 29162784

+371 26113545