Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014

60 %
40 %
Information about Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014

Published on February 4, 2014

Author: AndSor



Presentation from "International Data Protection Day" IT Security seminary on 28th of January, 2014, organized by "Data Security Solutions", IBM Security Systems partner in the Baltic States.

SIEM – silver bullet to ITSEC Data Security Solutions Certified IBM Business Partner for IBM QRADAR Security Intelligence Park Hotel Maritim 28.01.2014

“Data Security Solutions” specializes Specialization – IT Security IT Security consulting (vulnerability assessment tests, security audit, new systems integration, HR training, technical support) Innovative & selected software / hardware & hybrid solutions from leading technology vendors from over 10 different countries

Agenda SIEM – Silver bullet to ITSEC QRadar Security Intelligence SIEM Use Cases Qradar v.7.2 update & integrations

SIEM – heart of your security system Security information includes log data generated from numerous sources, including antivirus software, intrusion-detection systems (IDS), intrusion-prevention systems (IPS), file systems, firewalls, routers, servers and switches. Monitor events in real time. Display a real-time view of activity. Aggregate data. Provide automated incidence response. Correlate data from multiple sources. Send alerts and generate reports.

SIEM – SIM & SEM Security event management (SEM), which provides real-time monitoring for security events; Security information management (SIM), which provides log management and reporting for security-related events.

Immediate Problems The cost and complexity of purchasing and managing storage and monitoring systems Difficulty accessing huge amounts of data Limited ability to make queries against historic log data Keeping pace with changing user behavior outside the control of IT (e.g., mobile computing and communication devices, and the pervasiveness of social media) Loss of data fidelity

Opportunities To Add New Capabilities Deep, historical analysis of security events over long periods (years...not days) Large-scale investigations to detect advanced persistent threats More rapid response to compliance and regulatory inquiries Establishing benchmarks for employee, contractor, supplier and partner behavior in regards to data access, and measuring variations from those benchmarks Defining and implementing best practices for information security management and compliance reporting Automated filtering of vast log data to isolate suspicious event patterns meriting manual investigation

Goal of Next-generation SIEM IT & Network Identity Management Operations Operational Security Log management Compliance reporting Real-time monitoring Incident response Forensic investigation Log Tool Log Silo Governance & Compliance ? ? ? ??? ? ? ?? ?? ? ??? ? ? ??? ?? ? ? Log Jam ?? ? ? ? ?? ? ?? ? ?? ??? ??LOGS ? ?? ? Network Servers Databases ??? ?? Homegrown Applications ?

Qradar security intelligence

QRadar Family Log Management SIEM Risk Management Network Activity & Anomaly Detection Network and Application Visibility • Turnkey log management • SME to Enterprise • Upgradeable to enterprise SIEM • • • • Integrated log, threat, risk & compliance mgmt. Sophisticated event analytics Asset profiling and flow analytics Offense management and workflow • Predictive threat modeling & simulation • Scalable configuration monitoring and audit • Advanced threat visualization and impact analysis • Network analytics • Behavior and anomaly detection • Fully integrated with SIEM • Layer 7 application monitoring • Content capture • Physical and virtual environments

QRadar All In One

QRadar Distributed Deployment

Qradar security intelligence AppScan and QRadar Integration Guardium and QRadar Integration QRadar Risk Manager and SIEM QRadar vulnerability manager Other IBM Security Systems

AppScan and Qradar Integration AppScan® Enterprise offers advanced application security testing and risk management with a platform that drives governance, collaboration and security intelligence throughout the application lifecycle.

Guardium and Qradar Integration Guardium offers insight into both database activity on the network, such as data transfer, and also on local database and privileged user activity.

Qradar Risk Manager and SIEM QRadar Risk Manager adds many key proactive security intelligence capabilities designed to help IT security teams minimize network breaches by reducing their attack surfaces. Some specific abilities include: Depicts network topology views; visualizes and assesses risk based on real-time threat environment, vulnerability posture, and network configurations Identifies missing, weak, inefficient and unnecessary firewall rules and IPS signatures, reducing risk and improving firewall performance Supports policy compliance for network traffic, topology and vulnerability exposures Improves QRadar forensics including determination of offense root cause and visualization of offense attack paths Collects firewall, switch, router and IPS/IDS configuration data, which when combined with discovery of network routes and neighbor information allows a network topology model to be created.

Qradar Vulnerability Manager QRadar Vulnerability Manager combines automated vulnerability scanning with a superior understanding of device configurations, network topology and traffic patterns to help security teams enact proactive protection measures in an optimal fashion. Key integrations for QRadar Vulnerability Manager include: Qradar Risk Manager IBM Security SiteProtector System X-Force threat intelligence feed IBM Endpoint Manager IBM Security AppScan IBM InfoSphere Guardium Vulnerability Assesment

SIEM Use Cases WordCloud

SIEM Use Cases Definition Requirements Scope Event Sources Response

Your Use Case Build YOUR own use case! React faster Improve Efficiency Automate Compliance

Use Cases Vulnerability Correlation Suspicious Access Correlation Flow and Event Combo Correlation Botnet Application Identity VMware Flow Analysis Unidirectional Flows Detection Vulnerability Reporting Data Loss Prevention Double Correlation Policy and Insider Threat Intelligence (Social Media Use Case)

Use Cases Detecting Threats or Suspicious Changes in Behaviour Preventative Alerting and Monitoring Compliance Monitoring Client-side vulnerability correlation Excessive Failed Logins to Compliance Servers Remote Access from Foreign Country Logons Communication with Known Hostile Networks Long Durations Multi-Vector Attack Device stopped sending Data (Out of Compliance)

Social Media Intelligence Problem: Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats. Solution: Social media Monitoring& Correlation in real-time: Qradar’s real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application.

Social Media Intelligence With Qradar, you can: Identify the user responsible for the data leak. With Qradar, you can: Identify all the source, destination and the actual corporate credit card number leaked.

Data Loss Prevention Customer Requirement: Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company Solution: Baseline employee access to CRM Detect deviations from norm: 1,000 transactions (access to customer records) vs normal 50 per day BUT…what if the user is tech savvy or has a geek nephew, and makes a single SQL query to the back end database? Profile network traffic between workstations and back-end database or policy shouldn’t allow direct access to database from workstations

Data Loss Prevention Potential Data Loss? Who? What? Where? Who? An internal user What? Oracle data Where? Gmail

Indavertent Wrongdoing A/V Server Trying to update the entire internet Issue bubbled to the top of the offense manager immediately post-installation Problem had existed for months, but was lost in firewall logs. A/V clients were badly out of date.

System Misconfiguration QRadar reports remote sources scanning internal SQL servers Firewall admin insists QRadar is incorrect – absolutely no inbound SQL traffic permitted. But … months earlier user had requested access to SQL server from outside campus Administrator fat-fingered the FW rule and unintentionally allowed SQL access to & from all hosts

Teleportation Customer Requirement: Customer wanted to detect users that logged in from IP addresses in different locations simultaneously. Solution:  Create rule to test for 2 or more logins from VPN or AD from different country within 15 minutes  Can be extended to check for local login within corporate network and simultaneous remote login

Purell for your VPN Customer Requirement: Customer wanted to detect when external systems over the VPN accesses sensitive servers Customer was concerned that external system could be infected / exploited through split tunneling and infect sensistive internal servers Solution:  Use latest VA scan of user systems  Create BB of OSVDB IDs of concern  Detect when external systems with vulnerabilities access sensitive servers

Uninvited Guests Customer Requirement: Wants to identify new systems attached to network. There are active wall jacks throughout building Solution: Set asset database retention to just beyond DHCP lease time (1-2 days)—user out of office/on vacation, asset expires New machine attaches, rule alerts Flows for real-time detection: no other SIEM can do this Can alert on VA import In 7.0, can build up MAC list in reference sets (~2 wks), then alert when new MAC appears on network

Policy Vialation / Resource Misuse Customer Requirement: Detect if there are P2P Server located in Local Area Network

Communication to known Bot C&C Customer Requirement: Detect if any of internal system is communicating to known Bot Command and Contrlol

Forensic of Administrative Change Customer Requirement: New User account creation with administrative privileges System registry change, Application Installed/Uninstalled Password reset Service started/stopped

Vulnerability Overview Customer Requirement: Generate weekly report for Vulnerabilities

Use Cases Summary Identify the goal for each event correlation rule (and use case). Determine the conditions for the alert. Select the relevant data sources. Test the rule. Determine response strategies, and document them.

Qradar v. 7.2 update Enhanced asset and vulnerability functionality Centralized license management Multicultural support (languages) Improved bar and pie charts on the Dashboard tab Data obfuscation Identity and Access Management (IAM) integration Browser support Java 7 support 1500 + reports New ―QRadar 2100 Light‖ appliance

QRadar Vulnerability Scaner Solution Highlights New Unique VA solution integrated with Security Intelligence context/data Providing unified view of all vulnerability information Dramatically improving actionable information through rich context Reducing total cost of ownership through product consolidation Log Manager SIEM Network Activity Monitor Risk Manager Vulnerability Manager

QRadar Vulnerability Manager Integration New tab in QRadar Two new deployable components - QVM Console • Scan definitions, scan scheduling engine, scan results - QVM Scanner Third component hosted by IBM - Hosted Scanner, scans a customers DMZ from the internet

QRadar 2100 All-In-One Light This appliance is an all-in-one appliance that provides the abilities of the QRadar 2100 appliance Supports 500 Events Per Second (EPS) instead of 1,000 EPS Includes Built-in Qflow collector for Layer7 analysis Upgradeable

Q/A / +371 29162784 +371 26113545

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Qradar Siem | LinkedIn

Going from Data to Information with Security Intelligence. ... Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014. 1,125 Views ...
Read more

Ibm Qradar | LinkedIn

IBM QRadar Security Intelligence: ... (IBM QRADAR)Data Security and Privacy ... Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014.
Read more