IBM Security
IBM Security Systems
What is Security Intelligence?
Security Intelligence --noun
1.the real-time collection, normalization and analytics of the data generated by users,
applications and infrastructure that impacts the IT security and risk posture of an enterprise
Security Intelligence provides actionable and comprehensive insight for managing risks and threats from protection and
detection through remediation
Security Intelligence
IBM Security
Security Intelligence & Business Intelligence offer insightful parallels
Managed Security Services
Mainframe and Server Security - RACF
SOA Security
Network Intrusion Prevention
Database Monitoring
Identity and Access Management
Application Security
Security as a Service
Compliance Management
Security Intelligence
IBM Security Intelligence
DASCOM
Enterprise Reporting
Performance Management Platform Business Intelligence Suite
IOD Business Optimization
BI Convergence with Collaboration Text & Social Media Analytics
Simplified Delivery (i.e., Cloud )
Predictive Analytics
Decision Management
BI Convergence with Security
IBM Business Intelligence
Market Changes
Time
Security Intelligence
IBM Security
Organizations are failing at early breach detection, with more than 85% of breaches undetected by the breached organization.*
(...)
It is the combination of real-time security monitoring, context (threat, vulnerability, user, asset, data and
application) and "smart eyeballs" on dally activity reports that will improve your chances of early
breach detection beyond the current 15% success rate.
Gartner “Using SIEM for Targeted Attack Detection” (March 2012)
Security Intelligence & the “Why More Context”
Security Intelligence
IBM Security Systems
Solutions for the full Security Intelligence timeline
Prediction & Prevention Reaction & Remediation
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Leak Prevention.
Security Information and Event Management.
Log Management. Incident Response.
Risk Management. Vulnerability Management.
Configuration and Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management.
Reporting and Scorecards.
What are the external and internal threats?
Are we configured to protect against
these threats?
What is
happening right now?
What was the impact?
IBM Security Intelligence
IBM Security Systems
Built upon common foundation of QRadar SIOS
Reporting
Engine Workflow Rules Engine Real-Time
Viewer Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence
Operating System
(SIOS)
Normalization
IBM QRadar Platform
QRadar Log
Manager QRadar SIEM QRadar Risk Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
IBM Security Systems
And continually adding context for increased accuracy
Security Intelligence Feeds
Internet Threats
Geo Location Vulnerabilities
IBM QRadar Platform
IBM Security Systems
Deployed upon scalable appliance architecture
Network and Application
Visibility
• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
SIEM
Network Activity &
Anomaly Detection
• Network analytics
• Behavioral anomaly detection
• Fully integrated in SIEM
• Turn-key log management and reporting
• SME to Enterprise
• Upgradeable to enterprise SIEM
Log
Management Scale
• Event Processors
• Network Activity Processors
• High Availability & Disaster Recovery
• Stackable Expansion
• Network security configuration monitoring
• Vulnerability scanning & prioritization
• Predictive threat modeling & simulation
Configuration
& Vulnerability Management
IBM QRadar Platform
IBM Security Systems
Using fully integrated architecture and interface
• Turn-key log management and reporting
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
• Network security configuration monitoring
• Vulnerability prioritization
• Predictive threat modeling & simulation
SIEM Log
Management
Configuration
& Vulnerability Management
Network Activity &
Anomaly Detection
Network and Application
Visibility
• Network analytics
• Behavioral anomaly detection
• Fully integrated in SIEM
• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments
One Console Security
Built on a Single Data Architecture
IBM QRadar Platform
IBM Security Systems
Network traffic doesn’t lie. Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)
• Deep packet inspection for Layer 7 flow data
• Pivoting, drill-down and data mining on flow sources for advanced detection and forensics
Helps detect anomalies that might otherwise get missed
Enables visibility into attacker communications
Differentiated by network flow analytics
IBM QRadar Platform
IBM Security Systems
Continued journey towards Total Security Intelligence
IBM QRadar Security Intelligence
IBM Security Systems
Reporting
Engine Workflow Rules Engine Real-Time
Viewer Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence
Operating System
(SIOS)
Normalization QRadar Log
Manager QRadar SIEM QRadar Risk Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
IBM QRadar SIEM
IBM Security Systems
QRadar SIEM: Command console for Security Intelligence
Provides full visibility and
actionable insight to protect against advanced threats
Adds network flow capture and analysis for deep
application insight
Employs sophisticated
correlation of events, flows, assets, topologies,
vulnerabilities and external data to identify and prioritize threats
Contains workflow management to fully track threats and ensure resolution
Uses scalable hardware, software and virtual appliance architecture to support the largest deployments
IBM QRadar SIEM
IBM Security Systems
Helps detect zero-day attacks that have no signature
Enables policy monitoring and rogue server identification
Provides visibility into all attacker communications
Uses passive monitoring to build asset profiles and classify hosts
Improves network visibility and helps resolve traffic problems
Flows provide context for true network intelligence
IBM QRadar SIEM
IBM Security Systems
Reporting
Engine Workflow Rules Engine Real-Time
Viewer Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence
Operating System
(SIOS)
Normalization QRadar Log
Manager
QRadar Risk Manager QRadar SIEM
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
IBM QRadar Risk Manager
IBM Security Systems
QRadar Risk Manager: Visualize network, configurations and risks
Depicts network topology views and helps visualize current and alternative
network traffic patterns
Identifies active attack
paths and assets at risk of exploit
Collects network device configuration data to
assess vulnerabilities and facilitate analysis and
reporting
Discovers firewall configuration errors and improves performance by eliminating ineffective rules
Analyzes policy compliance for network traffic, topology and vulnerability exposures
IBM QRadar Risk Manager
IBM Security Systems
Investigating offense attack path
Clicking ‘attack path’ button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs
Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure
Allows “virtual patch” to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path—before patching or other
configuration changes can typically be implemented
IBM QRadar Risk Manager
IBM Security Systems
Reporting
Engine Workflow Rules Engine Real-Time
Viewer Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence
Operating System
(SIOS)
Normalization QRadar Log
Manager
QRadar Risk Manager QRadar SIEM
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
IBM QRadar Vulnerability Manager
IBM Security Systems
Strengthened by integrated vulnerability insights
QRadar Vulnerability Manager
Questions remain:
•Has that been patched?
•Has it been exploited?
•Is it likely to be exploited ?
•Does my firewall block it?
•Does my IPS block it?
•Does it matter?
Existing vulnerability management tools
Improves visibility
– Intelligent, event-driven scanning, asset
discovery, asset profiling and more
Reduces data load
– Bringing rich context to Vulnerability
Management
Breaks down silos
– Leveraging all QRadar integrations and data
– Unified vulnerability view across all products
Answers delivered:
•Real-time scanning
•Early warning capabilities
•Advanced pivoting and filtering
Security Intelligence
Integration
IBM QRadar Vulnerability Manager
IBM Security Systems
QVM enables customers to interpret ‘sea’ of vulnerabilities
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
Inactive Inactive: QFlow
Collector data helps QRadar Vulnerability Manager sense
application activity Blocked
Blocked: QRadar Risk Manager helps QVM understand
which vulnerabilities are blocked by
firewalls and IPSs Patched
Patched: IBM
Endpoint Manager helps QVM
understand which
vulnerabilities will be patched
Critcal
Critical: Vulnerability knowledge base,
remediation flow and QRM policies inform QVM about business critical vulnerabilities
At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with
At Risk! Exploited!
Exploited: SIEM correlation and IPS data help QVM
reveal which
vulnerabilities have been exploited
IBM QRadar Vulnerability Manager
IBM Security Systems
IBM QRadar Security Intelligence
Reporting
Engine Workflow Rules Engine Real-Time
Viewer Analytics Engine
Warehouse Archival
Security Intelligence
Solutions
Security Intelligence
Operating System
(SIOS)
Normalization QRadar Log
Manager QRadar SIEM QRadar Risk Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
IBM Security Systems
QRadar Security Intelligence easily grows with your needs
Inject IBM X-Force Threat Research Intelligence
- Provides intelligence feed to QRadar
- Includes vulnerabilities, IP reputations, malware reports
Add QRadar Risk Manager
– Enables pre-exploit configuration investigations
– Simplifies security policy reviews for compliance tests – Provides network topology depictions and permits
attack simulations
Implement QRadar Vulnerability Manager
– Extends pre-exploit analysis - adds integrated, vulnerability insights
– Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions
– Helps identify and measure exposures to external threats
Upgrade Log Manager to QRadar SIEM
– Additional security telemetry data
– Rules-based correlation analysis engine
– Data overload reduction ‘magic’ compressing millions or
even billions of daily raw events to manageable list of issues
IBM QRadar Security Intelligence
IBM Security Systems
Some of QRadar’s unique advantages
Scalability for largest deployments, using an embedded database and unified data architecture
Impact: QRadar supports your business needs at any scale
Real-time correlation and anomaly detection based on broadest set of contextual data
Impact: More accurate threat detection, in real-time
Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more
Impact: Reduced manual effort, fast time to value, lower-cost operation
Integrated flow analytics with Layer 7 content (application) visibility
Impact: Superior situational awareness and threat identification
Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards
Impact: Maximum insight, business agility and lower cost of ownership
IBM QRadar Security Intelligence
IBM Security Systems
Time for a QRadar Demo?
Time for Q&A?
IBM Security Systems
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s