IBM Security
IBM Security Intelligence
© 2013 IBM Corporation© 2014 IBM Corporation
Speaker: Alfonso PonticelliSecurity QRadar Technical Sales, Italy
IBM Security Systems
What is Security Intelligence?
Security Intelligence
--noun
1. the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise
Security Intelligence
© 2014 IBM Corporation2
IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and
detection through remediation
IBM Security Systems
Solutions for the full Security Intelligence timeline
IBM Security Intelligence
© 2014 IBM Corporation3
IBM Security Systems
Built upon common foundation of QRadar SIOS
Reporting
EngineWorkflow Rules Engine
Real-Time
Viewer
Security
Intelligence
Solutions
IBM QRadar SIEM Platform
QRadar SIEM
QRadar
Risk
Manager
QRadar
QFlow and
VFlow
QRadar
Vulnerability
Manager
© 2014 IBM Corporation4
Analytics Engine
Warehouse Archival
Security
Intelligence
Operating
System
(SIOS)Normalization
IBM Security Systems
Servers and mainframes
Network and virtual activity
Data activity
Security devices
Structured & Unstructured Data …Suspected Incidents
• Automated data collection, asset discovery and profiling
• Automated, real-time, and integrated analytics
Embedded IntelligenceHighly
Prioritized Security and Operational
Incidents
Highly Prioritized
Security and Operational
Incidents
Automated
Dynamic Threat Environment Requires Security Intelligence
IBM QRadar SIEM Platform
© 2014 IBM Corporation5
Application activity
Configuration information
Vulnerabilities and threats
Users and identities
Global threat intelligence
• Massive data reduction
• Activity baseliningand anomaly detection
• Out-of-the box rules and templates
Automated Offense
Identification
Visibility across organizational security systems to improve response times and incorporate adaptability/flexibility required for early detection of threats or risky behaviors
IBM Security Systems
And continually adding context for increased accuracy
Security Intelligence Feeds
Internet ThreatsGeo Location Vulnerabilities
IBM QRadar SIEM Platform
© 2014 IBM Corporation6
IBM Security Systems
Using fully integrated architecture and interface
IBM QRadar Platform
© 2014 IBM Corporation7
IBM Security Systems
Continued journey towards Total Security Intelligence
IBM QRadar Security Intelligence
© 2014 IBM Corporation8
IBM Security Systems
� Network traffic doesn’t lie. Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)• Deep packet inspection for Layer 7 flow data
• Pivoting, drill-down and data mining on flow sources for advanced detection and forensics
� Helps detect anomalies that might otherwise get missed
� Enables visibility into attacker communications
Differentiated by network flow analytics
IBM QRadar Platform
© 2014 IBM Corporation9
� Enables visibility into attacker communications
IBM Security Systems
QRadar Risk Manager: Visualize network, configurations and risks
� Depicts network topology views and helps visualize current and alternative network traffic patterns
� Identifies active attack paths and assets at risk of exploit
IBM QRadar Risk Manager
© 2014 IBM Corporation10
� Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting� Discovers firewall configuration errors and improves
performance by eliminating ineffective rules
� Analyzes policy compliance for network traffic, topology and vulnerability exposures
IBM Security Systems
Investigating offense attack path
� Clicking ‘attack path’ button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs
� Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure
IBM QRadar Risk Manager
© 2014 IBM Corporation11
understand the exposure
� Allows “virtual patch” to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path—before patching or other configuration changes can typically be implemented
IBM Security Systems
Strengthened by integrated vulnerability insights
IBM QRadar Vulnerability Manager
© 2014 IBM Corporation12
IBM Security Systems
QVM enables customers to interpret ‘sea’ of vulnerabilities
IBM QRadar Vulnerability Manager
© 2014 IBM Corporation13
IBM Security Systems
QRadar Security Intelligence easily grows with your needs
� Add QRadar Risk Manager • Enables pre-exploit configuration investigations
• Simplifies security policy reviews for compliance tests
� Implement QRadar Vulnerability Manager • Extends pre-exploit analysis - adds integrated,
vulnerability insights
• Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions
• Helps identify and measure exposures to external threats
IBM QRadar Security Intelligence
© 2014 IBM Corporation14
� Inject IBM X-Force Threat Research Intelligence- Provides intelligence feed to QRadar- Includes vulnerabilities, IP reputations, malware reports
• Simplifies security policy reviews for compliance tests
• Provides network topology depictions and permits attack simulations
� QRadar SIEM • Additional security telemetry data
• Rules-based correlation analysis engine
• Data overload reduction ‘magic’ compressing millions or even billions of daily raw events to manageable list of issues
IBM Security Systems
QRadar Incident Forensics Module Overview
� Seamlessly integratedwith Security Intelligence incident detection and workflow processes
� Full packet capture for complete insight and incident forensics
IBM QRadar Incident Forensics
© 2014 IBM Corporation15
� Deep packet inspection , analytics and searching enabling powerful and intuitive forensics
� Providing unified view of all flow, user, event, and forensic information
IBM Security SystemsOffering Overview
Family Product Appliance Virtual Appliance
Software
SIEM All-in-One 2100 Light 3 / 2100 / 3105 / 3124
3190 21XX Light 3 / 21XX / 31XX
Console 3105 / 3124 3190 31XX
Event Processor 1605 / 1624 1690 16XX
Flow Processor 1705 / 1724 1790 17XX
Como Event/Flow Processor 1805 18XX
Event Collector 5 1501 1590 15XX2
QFlow Collector 1201 / 1202 / 1301 / 1310 VFlow / 1290 12XX
© 2014 IBM Corporation16
QFlow Collector 1201 / 1202 / 1301 / 1310 VFlow / 1290 12XX
Log Manager All-in-1 2100 / 3105 / 3124 3190 21XX / 31XX 1
Console 3105 / 3124 3190 31XX 1
Event Processor 1605 / 1624 1690 16XX 1
QNAD QNAD QNAD
Risk Manager QRM QRM / QRM Light 4 QRM VM3 / QRM Light VM 4
QRM SW3 / QRM Light SW 4
Vulnerability Manager
QVM QVM3 QVM VM3 QVM SW3