QRadar SIEM Overview

IBM Security Systems

IBM Security QRadar SIEM Product Overview

Alex Kioni IBM Security Systems Technical Technical Consultant


The importa importance nce of integ integrate rated, d, all source analysis cannot be overstated. Without it, it is not possible to "connect the dots." No one component holds all the relevant information. (9/11 Commission)


The importa importance nce of integ integrate rated, d, all source analysis cannot be overstated. Without it, it is not possible to "connect the dots." No one component holds all the relevant information. (9/11 Commission)


QRadar Family Intelligent, Integrated, Automated QRadar Log Manager

QRadar SIEM

QRadar QFlow

QRadar VFlow

QRadar Risk Manager

Vulnerability Manager

Security Intelligence Operating System

Providing complete network and security intelligence, delivered simply, for any customer


Fully Integrated Security Intelligence Log Management

SIEM

Configuration & Vulnerability Management

Network Activity & Anomaly Detection

Network and Application Visibility

• Turn-key log management and reporting • SME to Enterprise • Upgradeable to enterprise SIEM

• Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow

• Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation

• Network analytics • Behavioral anomaly detection • Fully integrated in SIEM

• Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments


Security Intelligence Product Offerings Product

Description

QRadar SIEM

QRadar SIEM provides extensive visibility and actionable insight to help protect networks and IT assets from a wide range of advanced threats. It helps detect and remediate breaches faster, address compliance, and improve the efficiency of security operations.

QRadar Log Manager

QRadar Log Manager collects, archives, analyzes and reports on events across a distributed network. It helps address regulatory and policy compliance, while reducing manual compliance and reporting activities.

QRadar QFlow QRadar VFlow

QRadar QFlow complements QRadar SIEM by providing deep content visibility. It gathers Layer 7 flow data via deep packet inspection, enabling advanced threat detection through analysis of packet content. QRadar VFlow provides content visibility into virtual network traffic, delivering comparable functionality to QRadar QFlow but for virtual environments.

QRadar Risk Manager

QRadar Risk Manager identifies and reduces security risks through device configuration monitoring, vulnerability prioritization, and threat simulation and visualization. It can help prevent many security breaches while improving operational efficiency and compliance.


Fully Integrated Security Intelligence Log Management

SIEM

Configuration & Vulnerability Management

Network Activity & Anomaly Detection

Network and Application Visibility

• Turn-key log management and reporting • SME to Enterprise • Upgradeable to enterprise SIEM

One Console Security

• Log, flow, vulnerability & identity correlation • Sophisticated asset profiling • Offense management and workflow

• Network security configuration monitoring • Vulnerability prioritization • Predictive threat modeling & simulation

• Network analytics • Behavioral anomaly detection • Fully integrated in SIEM

• Layer 7 application monitoring • Content capture for deep insight & forensics • Physical and virtual environments

Built on a Single Data Architecture


QRadar SIEM Overview QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets from a wide range of advanced threats, while meeting critical compliance mandates. Key Capabilities: • Sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to identify & prioritize threats • Network flow capture and analysis for deep application insight • Workflow management to fully track threats and ensure resolution • Scalable architecture to support the largest deployments


Context and Correlation Drive Deepest Insight

Security Devices Servers & Mainframes

True Offense

Event Correlation Network & Virtual Activity

• Logs • Flows

• IP Reputation • Geo Location

Offense Identification

Data Activity

Activity Baselining & Anomaly Detection

Application Activity

• • • •

Configuration Info Vulnerability & Threat

User Activity Database Activity Application Activity Network Activity

Suspected Incidents

Users & Identities

Extensive Data Sources

• Credibility • Severity • Relevance

+

Deep Intelligence

=

Exceptionally Accurate and Actionable Insight


QRadar SIEM Benefits Reduce the risk and severity of security breaches Remediate security incidents faster and more thoroughly Ensure regulatory and internal policy compliance Reduce manual effort of security intelligence operations


QRadar SIEM Key Advantages • Real-time activity correlation based on advanced inmemory technology and widest set of contextual data • Flow capture and analysis that delivers Layer 7 content visibility and supports deep forensic examination • Intelligent incident analysis that reduces false positives and manual effort • Unique combination of fast free-text search and analysis of normalized data • Scalability for world s largest deployments, using an embedded database and unified data architecture ’


QRadar s Unique Advantages ’

!

Real-time correlation and anomaly detection based on broadest set of contextual data "

!

Integrated flow analytics with Layer 7 content (application) visibility "

!

Impact: Reduced manual effort, fast time to value, lower-cost operation

Flexibility and ease of use enabling mere mortals to create and edit correlation rules, reports and dashboards “

" !

Impact: Superior situational awareness and threat identification

Intelligent automation of data collection, asset discovery, asset profiling and more "

!

Impact: More accurate threat detection, in real-time

”

Impact: Maximum insight, business agility and lower cost of ownership

Scalability for largest deployments, using an embedded database and unified data architecture "

Impact: QRadar supports your business needs at any scale


QRadar SIEM Market Success •

Leader in Gartner SIEM Magic Quadrant

“

”

• Ranked #1 product for Compliance needs by Gartner • Only SIEM product that incorporates network behavior anomaly detection (NBAD) • Industry awards include: • Global Excellence in Surveillance Award from InfoSecurity Products Guide •

Hot Pick by Information Security magazine

“

”

• GovernmentVAR 5-Star Award


QRadar SIEM Product Tour: Integrated Console • Single browser-based UI • Role-based access to information & functions • Customizable dashboards (work spaces) per user • Real-time & historical visibility and reporting • Advanced data mining and drill down • Easy to use rules engine with out-of-the-box security intelligence


QRadar SIEM Product Tour: Data Reduction & Prioritization Previous 24hr period of network and security activity (2.7M logs) QRadar correlation & analysis of data creates offenses (129) Offenses are a complete history of a threat or violation with full context about accompanying network, asset and user identity information Offenses are further prioritized by business impact


QRadar SIEM Product Tour: Intelligent Offense Scoring QRadar judges magnitude of offenses: “

”

• Credibility: A false positive or true positive? • Severity: Alarm level contrasted with target vulnerability • Relevance: Priority according to asset or network value Priorities can change over time based on situational awareness


QRadar SIEM Product Tour: Offense Management Clear, concise and comprehensive delivery of relevant information: What was the attack? Was it successful?

Who was responsible ? Where do I find them? How many targets involved? Are any of them vulnerable? Where is all the evidence?

How valuable are the targets to the business?


QRadar SIEM Product Tour: Out-of-the-Box Rules & Searches Default log queries/views 1000 s of real-time correlation rules and analysis tests ’

100 s of out-of-the-box searches and views of network activity and log data ’

#Provides

quick access to critical information

Custom log fields #

Provides flexibility to extract log data for searching, reporting and dashboards. Product ships with dozens of pre-defined fields for common devices.


QRadar SIEM Product Tour: Flows for Network Intelligence • • • • •

Detection of day-zero attacks that have no signature Policy monitoring and rogue server detection Visibility into all attacker communication Passive flow monitoring builds asset profiles & auto-classifies hosts Network visibility and problem solving (not just security related)


QRadar SIEM Product Tour: Flows for Application Visibility • Flow collection from native infrastructure • Layer 7 data collection and analysis • Full pivoting, drill down and data mining on flow sources for advanced detection and forensic examination • Visibility and alerting according to rule/policy, threshold, behavior or anomaly conditions across network and log activity


QRadar SIEM Product Tour: Compliance Rules and Reports • Out-of-the-box templates for specific regulations and best practices: •

COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx

• Easily modified to include new definitions • Extensible to include new regulations and best practices • Can leverage existing correlation rules


QRadar SIEM Use Cases QRadar SIEM excels at the most challenging use cases: Complex threat detection Malicious activity identification User activity monitoring Compliance monitoring Fraud detection and data loss prevention Network and asset discovery


QRadar SIEM Use Case: Complex Threat Detection Problem Statement

Required Visibility

• Finding the single needle in the needle stack

• Normalized event data

‘

’

• Connecting patterns across many data silos and huge volumes of information • Prioritizing attack severity against target value and relevance • Understanding the impact of the threat

• Asset knowledge • Vulnerability context • Network telemetry


QRadar SIEM Use Case: Complex Threat Detection Sounds Nasty… But how do we know this? The evidence is a single click away.

Network Scan

Buffer Overflow

Detected by QFlow

Exploit attempt seen by Snort

Targeted Host Vulnerable Detected by Nessus

Total Security Intelligence Convergence of Network, Event and Vulnerability data


QRadar SIEM Use Case: Malicious Activity Identification Problem Statement

Required Visibility

• Distributed infrastructure

• Distributed detection sensors

• Security blind spots in the network

• Pervasive visibility across enterprise

• Malicious activity that promiscuously seeks targets of opportunity

• Application layer knowledge

‘

’

• Application layer threats and vulnerabilities • Siloed security telemetry • Incomplete forensics

• Content capture for impact analysis


QRadar SIEM Use Case: Malicious Activity Identification Potential Botnet Detected? This is as far as traditional SIEM can go.

IRC on port 80? QFlow enables detection of a covert channel.

Irrefutable Botnet Communication Layer 7 data contains botnet command and control instructions.


QRadar SIEM Use Case: User Activity Monitoring Problem Statement

Required Visibility

• Monitoring of privileged and non-privileged users

• Centralized logging and intelligent normalization

• Isolating Stupid user tricks from malicious account activity

• Correlation of IAM information with machine and IP addresses

‘

’

• Associating users with machines and IP addresses • Normalizing account and user information across diverse platforms

• Automated rules and alerts focused on user activity monitoring


QRadar SIEM Use Case: User Activity Monitoring Authentication Failures Perhaps a user who forgot his/her password?

Brute Force Password Attack Numerous failed login attempts against different user accounts

Host Compromised All this followed by a successful login. Automatically detected, no custom tuning required.


QRadar SIEM Use Case: Compliance Monitoring Problem Statement

Required Visibility

• Validating your monitoring efforts against compliance requirements

• Application layer visibility

• Ensuring that compliance goals align with security goals • Logs alone don t meet compliance standards ’

• Visibility into network segments where logging is problematic


QRadar SIEM Use Case: Compliance Monitoring PCI Compliance at Risk?

Unencrypted Traffic Compliance Simplified Out of the box support for all major compliance and regulatory standards.

QFlow saw a cleartext service running on the Accounting server. PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks


QRadar SIEM Use Case: Fraud & Data Loss Prevention Problem Statement

Required Visibility

• Validating your monitoring efforts against compliance requirements

• Application layer visibility

• Ensuring that compliance goals align with security goals • Logs alone don t meet compliance standards ’

• Visibility into network segments where logging is problematic


QRadar SIEM Use Case: Fraud & Data Loss Prevention Potential Data Loss? Who? What? Where?

Who? An internal user

What? Oracle data

Where? Gmail


QRadar SIEM Use Case: Network and Asset Discovery Problem Statement

Required Capability

• Integration of asset information into security monitoring products is labor intensive

• Real-time knowledge of all assets on a network

• Assets you don t know about pose the greatest risk ’

• Asset discovery and classification is a key tenet of many compliance regulations • False positive noise jeopardizes effectiveness of a SIEM solution

• Visibility into asset communication patterns • Classification of asset types • Tight integration into predefined rules


QRadar SIEM Use Case: Network and Asset Discovery Creates host profiles as network activity is seen to/from

Identifies services and ports on hosts by watching network activity

Identifies & classifies server infrastructure based on these asset profiles

Rules can fire when new assets and services come online Enabled by


QRadar SIEM Case Study: Fortune 500 Defense Company Customer

• Fortune 500 defense and aerospace systems company • 70,000 employees worldwide

Business Challenge

• Protect a complex, geographically dispersed network from advanced threats • Provide scalability for massive event volumes

Q1 Labs Solution

• 40 QRadar appliances, architected to support 70,000 EPS (6 billion events per day), with bursts over 100,000 EPS. • 4,000 devices being logged • Aggregation of all NetFlow data combined with application layer analysis from QFlow in critical data centers • 24x7 SOC support for 20 security operations specialists • Data analysis focused on detection of advanced persistent threats, malware and out-of-policy behavior


QRadar SIEM Case Study: $100B US Manufacturer Customer

• $100B private US manufacturer (Fortune 10 equivalent) • 125,000+ employees in 65 countries • One of the world s largest SAP deployments ’

Business Challenge

• Enhance security and risk posture across thousands of devices and resources, spanning hundreds of locations • Support extremely high event volumes

Q1 Labs Solution

• More than 40 QRadar appliances deployed • Forming a single federated solution covering IDS/IPS, wireless, IAM, databases, servers, core switches and more • Monitors SAP and SCADA systems across 1,000 plant locations • Deployment seamlessly spans security, network, applications and operations teams


QRadar SIEM Case Study: Fortune 5 Energy Company Customer

Business Challenge

• Fortune 5 energy company • 50,000+ employees worldwide • Ensure compliance with PCI-DSS, NERC and numerous regulations in other countries • Monitor and make sense of 2 billion log events daily

Q1 Labs Solution

• 30 QRadar systems deployed globally as a federated solution • Identify 25-50 high priority offenses out of 2 billion daily events • Protect 10,000 network devices, 10,000 servers and 80,000 user endpoints • Monitor 6 million card swipes per day for PCI compliance • Ensure security of SCADA systems for NERC compliance


QRadar SIEM – Intelligent, Integrated and Automated • Intelligent offense management • Layer 7 application visibility • Identifies most critical anomalies

• Distributed architecture • Highly scalable • Analyze logs, flows, assets and more

• Easy deployment • Rapid time to value • Operational efficiency


QRadar SIEM Summary

QRadar SIEM delivers full visibility and actionable insight for Total Security Intelligence.

Deepest Content Insight

Broadest Correlation

Greatest Scalability

Providing complete network and security intelligence, delivered simply, for any customer

QRadar SIEM Overview

Recommend Documents