© 2015 IBM Corporation

Building a Next-Generation Security Operation Center Based on IBM QRadar and Security Intelligence Concepts

Chris Meenan, IBM Security

Vincent Laurens, Sogeti

Overview

1

• Cybersecurity threat environment and main challenges

• The true story behind all this

• What is a Security Operations Center (SOC)

• Introducing QRadar and how it can address pragmatic challenges

• Real-life examples and lessons learned

It is insane…

Source: IBM X-Force® Research 2013 Trend and Risk Report

Main challenges for a SOC

3

Smooth integration

with Processes and

Business

Addressing

compliance from

multiple angles

Lack of Skills within

the Organization

Being able to provide our customers

answers they needs.Solving, in a high-quality manner, the

challenges they have to face.

Diversity and scale

of data to correlateCost effectiveness

SOC Challenges Chain

All these factors MUST become part of the IT comfort zone! Not as straightforward as it

seems!

What is a SOC ?

4

Performing Security Monitoringof IT systems, of industrial systems and data

Scanning, vulnerability assessment

SIEM

Malware defense – sandboxing -

Security Analytics

BIG DATA

GRC …Patch Management …CMDB

Systems and services integration

Managed services

SOCaaS (multi-tenant)

Central Command Centers!

Security Operation Centers are indeed…

Why QRadar Helps

Security Operations can drown in systems

• “HiFi Separates” approach has a

situation where enterprises have

dozens of individual security tools

• Security teams struggle

• Lack of skills

• Become stove piped themselves

• Overly dependant on a single tool which has limited visibility and accuracy

IBM QRadar Security SIEM

Providing actionable intelligence

IBM QRadarSecurity Intelligence

Platform

AUTOMATEDDriving simplicity and

accelerating time-to-value

INTEGRATEDUnified architecture delivered in a single console

INTELLIGENTCorrelation, analysis and massive data reduction

Embedded intelligence offers automated offense identification

INTELLIGENT

SuspectedIncidentsServers and mainframes

Data activity

Network and virtual activity

Application activity

Configuration information

Security devices

Users and identities

Vulnerabilities and threats

Global threat intelligence

AutomatedOffenseIdentification

• Unlimited data collection, storage and analysis

• Built in data classification

• Automatic asset, service and user discovery and profiling

• Real-time correlation and threat intelligence

• Activity baselining and anomaly detection

• Detects incidentsof the box

Embedded

Intelligence

Prioritized Incidents

Answering questions to help prevent and remediate attacks

An integrated, unified architecture in a single web-based console

LogManagement

Security Intelligence

Network Activity

Monitoring

RiskManagement

Vulnerability Management

Network Forensics

Use cases

11

Example 1

SOC for a major Financial Institution internal IT company

Migration from a log correlation engine to a QRadar-based

Security analytics plateform

Strong compliance riquirement

Fully-integrated services

Dedicated reporting

Large coverage of the infrastructure

Integration of business elements

Full Process integration

Targetted KPIs

Lessons Learned

A real project approach is needed

Use QRadar suite out-of-the-box capabilities

Define compliance steps from starts and align with Business and

Risks departments

Monitoring & Analytics

Reporting to Business

Example 2

13

SOC for a major Assurance company in Luxembourg

The word “SIEM” was totally new for them

Complete end-to-end approach based on a maturity analysis

Specific needs

3 Levels of reporting from the SOC: Technies, Security, Business

Cost effectiveness requirements

Assistance to create and maintain a Security Incident Management

Process

Particular threat environement

Mainframe-based core business-app

Lessons Learned

Yes! Specific threat environment exist for Assurance companies

Parallelize scenarios-construction tasks and deployment tasks

Involve compliance officer from start

International Compliance

Specific Reporting

Example 3

14

Client Situation :

Lack of any SOC model and strategy roadmap

There were no trained SOC Operations team or staff

No Security monitoring tool or processes for security incidents

IBM Solution :

Global Installation of the QRadar monitoring tool

Archer Ticketing System implementation (security tickets)

Designed the SOC Organization, Process, People Model

SOC Capacity Modeling

Hired and Trained the client’s SOC Staff (~12 resources)

Implemented SOC Operational Reporting and Executive Dashboards

Client Benefits:

Reduced risks & costs associated with security incidents and data breaches

Addressed compliance issues by establishing clear audit trails for incident

response

Improved security posture with enterprise-wide security intelligence

correlating events from IT & business critical systems/applications.

Profile:

Largest Bank in Canada, 3rd

largest in North America, top 10

globally. The bank serves 18

million clients and has 80,100

employees worldwide.

Summary

15

Driving simplicity and accelerated time to value

QRadar’s ease-of-use in set-up and maintenance

resulted in reduced time to resolve network issues

and freed-up IT staff for other projects.

Private U.S. Universitywith large online education community

Immediatediscovery

of network assets

Proactive vulnerability scans, configuration

comparisons, and policy compliance checks

Simplified deployment

Automated configurationof log data sources

and asset databases

Automated updates

Stay current with latest threats,

vulnerabilities,and protocols

Out-of-the-box rules and reports

Immediate timeto value with built-in

intelligence

IBM QRadar is nearly three times

faster to implement across the

enterprise than other SIEM solutions.

2014 Ponemon Institute, LLC

Independent Research Report

QRadar, Managed SIEM and SOC Consulting

17

SOC Optimization• Security operations maturity

assessment

• SOC strategy and planning

• SOC design and build

• SOC optimization

Want to learn more? Don’t miss the following InterConnect sessions:

SIEM Workshop – Discussion on

Use Case Development and Problem

Solving (Session #4933). Tue 11AM,

Mandalay Bay, Ballroom D

Making Strategic Decisions – What is

the most effective Security Operations

model for you? (Session #4896). Wed

11AM, Mandalay Bay, Lagoon E

Building Intelligent Next Generation

Security Operations Center – How do

I get there? (Session #5198). Wed

3:30PM, Mandalay Bay, Lagoon E

SIEM Optimization• SIEM design and build

• Use case design / log

acquisition

• SIEM implementation

• SIEM optimization

SIEM Management• Real-time threat monitoring,

incident escalation and response

• SIEM administrative support

• SIEM infrastructure management

• Incident analysis and reporting

Augment and

optimize staff

resources

Detect threats others miss with IBM QRadar and Managed SIEM

More quickly

identify and

remediate events

Gain access to

best practice

design expertise

Help reduce

costs and

complexity

IBM Security can help maximize your QRadar investment withSOC and SIEM design, optimization, management and monitoring

Notices and Disclaimers

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or

transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with

IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been

reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM

shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,

EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF

THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT

OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the

agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without

notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are

presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual

performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,

programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not

necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither

intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal

counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s

business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or

represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Notices and Disclaimers (con’t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published

announcements or other publicly available sources. IBM has not tested those products in connection with this

publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM

products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to

interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any

IBM patents, copyrights, trademarks or other intellectual property right.

• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document

Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,

ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,

PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,

pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,

urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of

International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and

service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on

the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Thank YouYour Feedback is

Important!

Access the InterConnect 2015

Conference CONNECT Attendee

Portal to complete your session

surveys from your smartphone,

laptop or conference kiosk.