Published on February 4, 2014
SIEM – silver bullet to ITSEC Data Security Solutions Certified IBM Business Partner for IBM QRADAR Security Intelligence Park Hotel Maritim 28.01.2014
“Data Security Solutions” specializes Specialization – IT Security IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support) Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries
Agenda SIEM – Silver bullet to ITSEC QRadar Security Intelligence SIEM Use Cases Qradar v.7.2 update & integrations
SIEM – heart of your security system Security information includes log data generated from numerous sources, including antivirus software, intrusion-detection systems (IDS), intrusion-prevention systems (IPS), file systems, firewalls, routers, servers and switches. Monitor events in real time. Display a real-time view of activity. Aggregate data. Provide automated incidence response. Correlate data from multiple sources. Send alerts and generate reports.
SIEM – SIM & SEM Security event management (SEM), which provides real-time monitoring for security events; Security information management (SIM), which provides log management and reporting for security-related events.
Immediate Problems The cost and complexity of purchasing and managing storage and monitoring systems Difficulty accessing huge amounts of data Limited ability to make queries against historic log data Keeping pace with changing user behavior outside the control of IT (e.g., mobile computing and communication devices, and the pervasiveness of social media) Loss of data fidelity
Opportunities To Add New Capabilities Deep, historical analysis of security events over long periods (years...not days) Large-scale investigations to detect advanced persistent threats More rapid response to compliance and regulatory inquiries Establishing benchmarks for employee, contractor, supplier and partner behavior in regards to data access, and measuring variations from those benchmarks Defining and implementing best practices for information security management and compliance reporting Automated filtering of vast log data to isolate suspicious event patterns meriting manual investigation
Goal of Next-generation SIEM IT & Network Identity Management Operations Operational Security Log management Compliance reporting Real-time monitoring Incident response Forensic investigation Log Tool Log Silo Governance & Compliance ? ? ? ??? ? ? ?? ?? ? ??? ? ? ??? ?? ? ? Log Jam ?? ? ? ? ?? ? ?? ? ?? ??? ??LOGS ? ?? ? Network Servers Databases ??? ?? Homegrown Applications ?
Qradar security intelligence
QRadar Family Log Management SIEM Risk Management Network Activity & Anomaly Detection Network and Application Visibility • Turnkey log management • SME to Enterprise • Upgradeable to enterprise SIEM • • • • Integrated log, threat, risk & compliance mgmt. Sophisticated event analytics Asset profiling and flow analytics Offense management and workflow • Predictive threat modeling & simulation • Scalable configuration monitoring and audit • Advanced threat visualization and impact analysis • Network analytics • Behavior and anomaly detection • Fully integrated with SIEM • Layer 7 application monitoring • Content capture • Physical and virtual environments
QRadar All In One
QRadar Distributed Deployment
Qradar security intelligence AppScan and QRadar Integration Guardium and QRadar Integration QRadar Risk Manager and SIEM QRadar vulnerability manager Other IBM Security Systems
AppScan and Qradar Integration AppScan® Enterprise offers advanced application security testing and risk management with a platform that drives governance, collaboration and security intelligence throughout the application lifecycle.
Guardium and Qradar Integration Guardium offers insight into both database activity on the network, such as data transfer, and also on local database and privileged user activity.
Qradar Risk Manager and SIEM QRadar Risk Manager adds many key proactive security intelligence capabilities designed to help IT security teams minimize network breaches by reducing their attack surfaces. Some specific abilities include: Depicts network topology views; visualizes and assesses risk based on real-time threat environment, vulnerability posture, and network configurations Identifies missing, weak, inefficient and unnecessary firewall rules and IPS signatures, reducing risk and improving firewall performance Supports policy compliance for network traffic, topology and vulnerability exposures Improves QRadar forensics including determination of offense root cause and visualization of offense attack paths Collects firewall, switch, router and IPS/IDS configuration data, which when combined with discovery of network routes and neighbor information allows a network topology model to be created.
Qradar Vulnerability Manager QRadar Vulnerability Manager combines automated vulnerability scanning with a superior understanding of device configurations, network topology and traffic patterns to help security teams enact proactive protection measures in an optimal fashion. Key integrations for QRadar Vulnerability Manager include: Qradar Risk Manager IBM Security SiteProtector System X-Force threat intelligence feed IBM Endpoint Manager IBM Security AppScan IBM InfoSphere Guardium Vulnerability Assesment
SIEM Use Cases WordCloud
SIEM Use Cases Definition Requirements Scope Event Sources Response
Your Use Case Build YOUR own use case! React faster Improve Efficiency Automate Compliance
Use Cases Vulnerability Correlation Suspicious Access Correlation Flow and Event Combo Correlation Botnet Application Identity VMware Flow Analysis Unidirectional Flows Detection Vulnerability Reporting Data Loss Prevention Double Correlation Policy and Insider Threat Intelligence (Social Media Use Case)
Use Cases Detecting Threats or Suspicious Changes in Behaviour Preventative Alerting and Monitoring Compliance Monitoring Client-side vulnerability correlation Excessive Failed Logins to Compliance Servers Remote Access from Foreign Country Logons Communication with Known Hostile Networks Long Durations Multi-Vector Attack Device stopped sending Data (Out of Compliance)
Social Media Intelligence Problem: Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats. Solution: Social media Monitoring& Correlation in real-time: Qradar’s real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application.
Social Media Intelligence With Qradar, you can: Identify the user responsible for the data leak. With Qradar, you can: Identify all the source, destination and the actual corporate credit card number leaked.
Data Loss Prevention Customer Requirement: Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company Solution: Baseline employee access to CRM Detect deviations from norm: 1,000 transactions (access to customer records) vs normal 50 per day BUT…what if the user is tech savvy or has a geek nephew, and makes a single SQL query to the back end database? Profile network traffic between workstations and back-end database or policy shouldn’t allow direct access to database from workstations
Data Loss Prevention Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail
Indavertent Wrongdoing A/V Server Trying to update the entire internet Issue bubbled to the top of the offense manager immediately post-installation Problem had existed for months, but was lost in firewall logs. A/V clients were badly out of date.
System Misconfiguration QRadar reports remote sources scanning internal SQL servers Firewall admin insists QRadar is incorrect – absolutely no inbound SQL traffic permitted. But … months earlier user had requested access to SQL server from outside campus Administrator fat-fingered the FW rule and unintentionally allowed SQL access to & from all hosts
Teleportation Customer Requirement: Customer wanted to detect users that logged in from IP addresses in different locations simultaneously. Solution: Create rule to test for 2 or more logins from VPN or AD from different country within 15 minutes Can be extended to check for local login within corporate network and simultaneous remote login
Purell for your VPN Customer Requirement: Customer wanted to detect when external systems over the VPN accesses sensitive servers Customer was concerned that external system could be infected / exploited through split tunneling and infect sensistive internal servers Solution: Use latest VA scan of user systems Create BB of OSVDB IDs of concern Detect when external systems with vulnerabilities access sensitive servers
Uninvited Guests Customer Requirement: Wants to identify new systems attached to network. There are active wall jacks throughout building Solution: Set asset database retention to just beyond DHCP lease time (1-2 days)—user out of office/on vacation, asset expires New machine attaches, rule alerts Flows for real-time detection: no other SIEM can do this Can alert on VA import In 7.0, can build up MAC list in reference sets (~2 wks), then alert when new MAC appears on network
Policy Vialation / Resource Misuse Customer Requirement: Detect if there are P2P Server located in Local Area Network
Communication to known Bot C&C Customer Requirement: Detect if any of internal system is communicating to known Bot Command and Contrlol
Forensic of Administrative Change Customer Requirement: New User account creation with administrative privileges System registry change, Application Installed/Uninstalled Password reset Service started/stopped
Vulnerability Overview Customer Requirement: Generate weekly report for Vulnerabilities
Use Cases Summary Identify the goal for each event correlation rule (and use case). Determine the conditions for the alert. Select the relevant data sources. Test the rule. Determine response strategies, and document them.
Qradar v. 7.2 update Enhanced asset and vulnerability functionality Centralized license management Multicultural support (languages) Improved bar and pie charts on the Dashboard tab Data obfuscation Identity and Access Management (IAM) integration Browser support Java 7 support 1500 + reports New ―QRadar 2100 Light‖ appliance
QRadar Vulnerability Scaner Solution Highlights New Unique VA solution integrated with Security Intelligence context/data Providing unified view of all vulnerability information Dramatically improving actionable information through rich context Reducing total cost of ownership through product consolidation Log Manager SIEM Network Activity Monitor Risk Manager Vulnerability Manager
QRadar Vulnerability Manager Integration New tab in QRadar Two new deployable components - QVM Console • Scan definitions, scan scheduling engine, scan results - QVM Scanner Third component hosted by IBM - Hosted Scanner, scans a customers DMZ from the internet
QRadar 2100 All-In-One Light This appliance is an all-in-one appliance that provides the abilities of the QRadar 2100 appliance Supports 500 Events Per Second (EPS) instead of 1,000 EPS Includes Built-in Qflow collector for Layer7 analysis Upgradeable
Q/A www.dss.lv firstname.lastname@example.org / email@example.com +371 29162784 +371 26113545
Going from Data to Information with Security Intelligence. ... Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014. 1,125 Views ...
IBM QRadar Security Intelligence: ... (IBM QRADAR)Data Security and Privacy ... Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014.