Post on 14-Sep-2014
description
© 2014 IBM Corporation
IBM Security Systems
1 © 2014 IBM Corporation
Attain Clarity of your Security Posture with New QRadar Incident Forensics
May 14, 2014
© 2014 IBM Corporation
IBM Security Systems
2
Speakers & Agenda
Vijay DheapProduct ManagerIBM Security Systems
• Exciting addition to Security Intelligence platform
• Better visibility with solution consolidation
• Why’s and how’s for network forensic investigations
• QRadar Incident Forensics and QRadar Packet Capture
3 © 2014 IBM Corporation
Why are we here?
© 2014 IBM Corporation
IBM Security Systems
4
IBM QRadar Security Intelligence PlatformProviding actionable intelligence
IBM QRadarSecurity Intelligence
Platform
AUTOMATEDDriving simplicity and
accelerating time-to-value
INTEGRATEDUnified architecture delivered in a single console
INTELLIGENTCorrelation, analysis and massive data reduction
© 2014 IBM Corporation
IBM Security Systems
5
Consolidation and integration help reduce costs and increase visibility
IBM QRadarSecurity Intelligence
Platform
Packets
Vulnerabilities
Configurations
Flows
Events
LogsBig data consolidation of
all available security information
Traditional SIEM6 products from 6 vendors are needed
IBM SecurityIntelligence and Analytics
© 2014 IBM Corporation
IBM Security Systems
6
SecurityIntelligence
.NEXTNetworkForensics
Incidentforensics
and packet captures
VulnerabilityManagement
Real-time vulnerability
scanning and vulnerability
prioritizations
RiskManagement
Configurationanalysis, policymonitoring, andrisk assessment
LogManagement
Identitymanagement,complete log management,
and compliancereporting
SIEMSIM and
VA integration
Technology additions strengthen QRadar Security Intelligence C
lient
Nee
ds
Flow Visualization
and NBADAnomaly detection
and threat resolution
Plat
form
evo
lutio
n ba
sed
on c
lient
nee
ds
2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2011 2012 – 2013 2014 Future
© 2014 IBM Corporation
IBM Security Systems
7
Single web-based console provides superior visibility
LogManagement
Security Intelligence
Network Activity Monitoring
RiskManagement
Vulnerability Management
Network Forensics
© 2014 IBM Corporation
IBM Security Systems
8
Incident Forensics
®
Reduces incident investigation periods from days or hours to minutes– Employs Internet search engine technology
closing security team skill gaps
Compiles evidence against malicious entities breaching secure systems and deleting or stealing sensitive data– Creates rich ‘digital impression’ visualizations
of related content
Helps determine root cause of successful breaches helping prevent recurrences– Adds full packet captures to complement
SIEM security data collection and analytics
“Research findings indicate enterprise organizations want increased awareness of advanced threats without the need for additional resources and forensics expertise.”
Source: Jon Oltsik, Enterprise Systems Group (ESG)
Wins the
race against
time
*NEW* IBM Security QRadar Incident ForensicsIntuitive investigation of security incidents
9 © 2014 IBM Corporation
IBM Security Incident Forensics Deepdive
© 2014 IBM Corporation
IBM Security Systems
10
63% of victims made aware of
their breaches by an external
organization
In 2013, it took organizations 32 days on average to resolve a cyber-attack
In 2012, 38% of targets were attacked again once the original incident was remediated.
Harsh realities for many enterprise network CISOs
Attackers spend an estimated 243 days on a victim’s network before being discovered Annual cost of
cyber-crime in the U.S. now stands at $11.56 million per organization
Has our organization been compromised? When was
our security breached?
How to avoid becoming a repeat victim?
What resources and assets are at risk?
What type of attack is it?
How do we identify the attack?
© 2014 IBM Corporation
IBM Security Systems
11
Struggling to manage resources against today’s new challenges
Escalating Attacks Increasing Complexity Resource Constraints
• Increasingly sophisticated attack methods
• Disappearing perimeters
• Accelerating security breaches
• Constantly changing infrastructure
• Too many products from multiple vendors; costly to configure and manage
• Inadequate and ineffective tools
• Under-staffed security teams
• Data overload with limited manpower and skills to find true threats
• Managing and monitoring increasing compliance demands
Spear Phishing
Persistence
Backdoors
Designer Malware
Sorry, no applicants found
ITSecurityJobs.com
© 2014 IBM Corporation
IBM Security Systems
12
What was the impactto the organization?
What security incidents are happening right now?
Are we configuredto protect against advanced threats?
What are the major risks and vulnerabilities?
Defending network requires appropriate solutions
Security IntelligenceThe actionable information derived from the analysisof security-relevant data available to an organization
• Gain visibility over the organization’s security posture and identity security gaps
• Detect deviations from the norm that indicate early warnings of APTs
• Prioritize vulnerabilities to optimize remediation processes and close critical exposures before exploit
• Automatically detect threats with prioritized workflow to quickly analyze impact
• Gather full situational awareness through advanced security analytics
• Perform forensic investigation reducing time to find root-cause; use results to drive faster remediation
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-ExploitVulnerability Pre-Exploit
PREDICTION / PREVENTION PHASE
© 2014 IBM Corporation
IBM Security Systems
13
SuspectedIncidents
Prioritized Incidents
Massive data gathering allows embedded intelligence to automatically detect anomalous conditions
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Extensive Data Sources
AutomatedOffenseIdentification
• Massive data reduction
• Automated data collection, asset discovery and profiling
• Automated, real-time, and integrated analytics
• Activity baselining and anomaly detection
• Out-of-the box rules and templates
Embedded Intelligence
© 2014 IBM Corporation
IBM Security Systems
14
Yet today’s threats require greater clarity to resolve
Detect unauthorized activities targeting critical assets, uncover the motivations and develop an understanding of the full scope of the risk
Network Security
Find the perpetrator, identify collaborators, pinpoint the systems compromised and document any data losses
Insider Threat Analysis
Uncover sophisticated money laundering schemes involving multiple seemingly disparate interactions
Fraud and Abuse
Compile evidence against malicious entities breaching secure systems and deleting or stealing sensitive data
Evidence Gathering
© 2014 IBM Corporation
IBM Security Systems
15
Traditional customer challenges employing network forensics
Critical gaps exist in available forensics and threat mitigation offerings to recover from an incident
Dependency on specialized skills to conduct detailed investigations
Difficulty identifying true incidents hidden in mounds of data
Disparate tools with limited intelligence inhibit productivity and efficacy in analysing incidents ?
Security teams must reduce the time to detect and respond to threats. Confusion and wasted time aid the attacker.
© 2014 IBM Corporation
IBM Security Systems
16
How network forensics is done
Full Packet Capture
• Capture packets off the network• Include other, related structured and
unstructured content stored within the network
Retrieval & Session
Reconstruction
• For a selected security incident, retrieve all the packets (time bounded)
• Re-assemble into searchable documents including full payload displayed in original form
Forensics Activity
• Navigate to uncover knowledge of threats
• Switch search criteria to see hidden relationships
© 2014 IBM Corporation
IBM Security Systems
17
SuspectedIncidents
Prioritized Incidents
Extend clarity around incidents with in-depth forensics data
Directed Forensics Investigations• Rapidly reduce time to resolution
through intuitive forensic workflow
• Use intuition more than technical training
• Determine root cause and prevent recurrences
Embedded Intelligence
© 2014 IBM Corporation
IBM Security Systems
18
How network forensics is done - with QRadar Incident Forensics
Enables Intuitive Investigative Analysis
• Simple search engine interface• Visual analytics• Retrace activity in chronological order with
reconstructed content
5
Builds Intelligence • Automated identification and assembly of identities• Automated distilling of suspicious content/activity • Content categorization informs data exclusion• Reveals linkages between entities
4
Has Scalable Search Infrastructure
• Index all the data• Correlate all the data• Prioritize search performance
3
Expands Data Available for Incident Forensics
• Data-in-motion and data-at-rest• Structured and unstructured data 2
Extension of QRadar Security Intelligence Platform1 • Built off high accuracy QRadar offense discovery
• Improve efficiency of investigations
Leverage strengths of QRadar to optimize investigations and gather evidence for detected incidents
© 2014 IBM Corporation
IBM Security Systems
19
• Performed by technically trained forensics researchers• Hunt for anomalous activities within specified time frame• Identify threat actor and remediate malicious conditions
• Initiated using intuition with Internet search engine simplicity• Follow security analytics or threat intelligence feed
directives• Retrace step-by-step movements for complete clarity
Changing the dynamics of network forensics activities
QRadar Incident Forensics helps simplify the task, accelerate results, and ensure better results
Before
After
• Address skills gap for forensics analysis• Win race against time finding true threats and halting data
loss• Determine root cause and prevent breach recurrencesBenefit
© 2014 IBM Corporation
IBM Security Systems
20
Security Intelligence Platform
IBM Security QRadar Incident Forensics deployment model
QRadar Security Intelligence Console Seamlessly integrated, single UI Includes new ‘Forensics’ dashboard tab Supports incident investigation workflow QRadar
Incident Forensics Module Hardware, software, virtual appliance Supports standard PCAP format Retrieves PCAPs for an incident and
reconstructs sessions for forensicsQRadar Packet CaptureAppliances Performs Full Packet Capture Optimized appliance solution Scalable storage
© 2014 IBM Corporation
IBM Security Systems
21
Obtain clarity throughout the lifecycle of a security incident
Proactive formulation of best practicesUse investigative clarity to develop new threat detection methods
Enhance capacity to identify breachesDetect new attack techniques or previously compromised systems
Mitigate risk of becoming repeat victim Assess full scope of impact or breach to close gaps in the security posture
Shorten time to remediate an incidentFind the source, block communications, patch vulnerabilities
Detect deviations from compliance protocolsPerform post-mortem analysis on underlying conditions
© 2014 IBM Corporation
IBM Security Systems
22
Feedback Received from Our Product Preview & Beta Program
“As we assess various solutions, QRadar Incident Forensics appears to make Forensics ‘Idiot-proof’”
~ Mid-size Bank
“I don’t have data scientists on staff nor can I find them…I need a forensics solution that my security analysts can use”
~ An Institute of Higher Education
“My IT security team spends a majority of their time in QRadar console, now I don’t have to have them use a disparate tool for forensics, love the integration”
~ An Energy & Utilities Company
“QRadar Incident forensics coupled with the forthcoming dedicated packet capture capability has proven it can deliver important benefits for our communications security monitoring”
~ Beta Participant
"The simple user interface masks the power that is available to the security analyst, it was as basic as typing in a search string ”
~ Beta Participant
© 2014 IBM Corporation
IBM Security Systems
23
Learn more about IBM Security Intelligence and Analytics
Visit theIBM Security Intelligence Website
Watch the videos on theIBM Security Intelligence YouTube Channel
Read new blog postsSecurityIntelligence.com
Follow us on Twitter@ibmsecurity
© 2014 IBM Corporation
IBM Security Systems
24
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© 2014 IBM Corporation
IBM Security Systems
25
IBM Security QRadar V7.2 MR2 Highlighted Features
Capability New Feature Customer Value
QRadar SIEM & QRadar Log Manager
QRadar Data Node New software/appliance helps scale Event and Flow Processor performance by adding commoditized hardware.
Improves scaling performance without purchasing additional processors.
Performance improvements
Up to 2X improvement in search performance when utilizing indexes, such as were sourceip = 10.10.10.10
Faster searches
Multilingual Support Includes: English, Simplified & Traditional Chinese, Japanese, Korean, French, German, Italian, Spanish, Russian, Portuguese (Brazil).
Ease of use for non-English speaking users
QRadar Vulnerability manager
User configurable scan polices
Create reusable scan policies defined in terms of ports scans, vulnerability checks, vulnerability tools, and vulnerability tool groups.
Quicker and less invasive scans
Dynamic scanning Support one or more CIDR ranges per scanner, enabling dynamic scanners selection based upon Asset IP
Simplified configuration, fewer scan profiles, distributed on-demand scanning
Remediation times and reporting
Assign default remediation times for vulnerabilities and generate automated email remediation reports to assigned owners
More automated vulnerability management and remediation processes
QRadar Risk Manager
Layer 7/Next Generation firewall support
Import configuration data from next generation firewalls (e.g. Palo Alto)
Collect, audit and analyse rich firewall configuration data
Net net summary Helps users easily see the end-to-end connectivity between two selected subnets
Quicker analysis of network connectivity issues
Improved topology query performance
Faster performance of topology queries Better visibility and faster compliance reporting
© 2014 IBM Corporation
IBM Security Systems
26
From NetFlow to QFlow to… …QRadar Incident Forensics
Internet/ intranet
packet
Netflow: packet oriented, identifies unidirectional sequences sharing source and destination IPs, ports, and type of service
Internet/ intranet
QFlow: packet oriented, identifies bi-directional sequences aggregated into sessions, also identifies applications by capturing the beginning of a flow.
Internet/ intranet
Competitive solutions: session oriented, some only capture a subset of each flow and index only the metadata—not the payload.
Internet/ intranet
QRadar Incident Forensics: session oriented, captures all packets in a flow indexing the metadata and payload to enable fast search driven data exploration
© 2014 IBM Corporation
IBM Security
27
IBM Security QRadar SIEM
Delivers actionable insight focusing security teams on high probability incidents– Employs rules-based correlation of events,
flows, assets, topologies, and vulnerabilities
Detects and tracks malicious activity over extended time periods, helping uncover advanced threats often missed by other solutions– Consolidates ‘big data’ security incidents within
purpose-built, federated database repository
Provides anomaly detection to complement existing perimeter defenses– Calculates identity and application baseline
profiles to assess abnormal conditions
Web-based command console for Security Intelligence
“The average time to implement QRadar was 5.5 months versus 15.2 months (nearly 3X) for other market-leading competitor solutions.”
Source: Ponemon Institute LLC primary research, “IBM QRadar Evidence of Value”
Daily volume of events, flows, incidents
potential offenses to investigate20 – 25automatically analyzed to find
Optimized threat analysis
2,000,000,000