World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.

1. Together with

2. “Data Security Solutions” brief intro
Specialization – IT Security
IT Security consulting
(vulnerability assessment
tests, security audit, new
systems integration, HR
training, technical support)
Innovative & selected
software / hardware & hybrid
solutions from leading
technology vendors from
over 10 different countries

3. It doesn’t matter what framework and standard You
are working with as an auditor
It doesn’t matter if You are internal or external
auditor, CSO, CIO, technical or business person
Automated and real time «Security Intelligence» is
what You need as mandatory for GRC –
Risk Assessment & Management
IT Security Governance & Management
Control of activities and environment
Performance measurement and improvement
Benefits from better alignment with business
(costs saving, efficiency etc.)

4. Agenda
Introduction
Security Information and Events Management (SIEM)
Use cases of SIEM
SIEM based Risk Management
Q&A

5. Around 1500 IT Security vendors for
Endpoint Security
Platforms and point solutions
Data Security & Encryption
DLP suites and point solutions
Network Security
Gateway solutions
NAC, visibility, NBA
Authentication, authorization etc.
Traditional and next generation’s
Identity protection
Virtualization and cloud security
IT Security governance
Operational management & Security
Mobile Security

6. Network and security
professionals focus tends to be
on preventing bad things from
happening on the network
There is aleready significant
amount of spending on tools
designed to prevent bad things
from getting in the network
When things go bad, it is
because the network and
security practitioner doesn’t know
what they don’t know

7. User and System Activity
Runaway Application
Customer Transaction
Email BCC
Failed Logon
Security Breach
File Up/Download
Credit Card
Data Access
Information Leak
Privileges Assigned/
Changed
50%?

8. What logs –
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance
records
User activity logs
Business systems alerts
and different other systems
messages
From where -
Firewalls / Intrusion
prevention
Routers / Switches
Intrusion detection
Servers, desktops, mainfr
ames
Business applications
Databases
Antivirus software
VPN’s
There is no standard format, transportation method for
logs, there are more than 800 log file formats used..

9. Security Intelligence provides actionable and comprehensive insight
for managing risks and threats from protection and detection
through remediation. It could be even called as Security Mega-
System.
Security Intelligence
--noun
1. the real-time collection, normalization, and analytics of the
data generated by users, applications and infrastructure that
impacts the IT security and risk posture of an enterprise

11. Analyze
Act
Monitor
Auto-discovery of log
sources, applications and
assets
Asset auto-grouping
Centralized log mgmt.
Automated configuration
audits
Auto-tuning
Auto-detect threats
Thousands of pre-defined rules and
role based reports
Easy-to-use event filtering
Advanced security analytics
Asset-based prioritization
Auto-update of threats
Auto-response
Directed remediation

12. • Turnkey log management
• SME to Enterprise
• Upgradeable to enterprise SIEM
• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
• Asset profiling and flow analytics
• Offense management and workflow
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat visualization and impact analysis
• Network analytics
• Behavior and anomaly detection
• Fully integrated with SIEM
• Layer 7 application monitoring
• Content capture
• Physical and virtual environments
SIEM
Log Management
Risk
Management
Network Activity
& Anomaly
Detection
Network and
Application
Visibility
One Console Security
Built on a Single Data Architecture

13. What was the
attack?
Who was
responsible?
How many
targets
involved?
Was it
successful?
Where do I find
them?
Are any of them
vulnerable?
How valuable are
they to the business?
Where is all the
evidence?
Clear & concise delivery of the most relevant information …

14. IRC on port 80?
QFlow enables detection of a covert channel.
Irrefutable Botnet Communication
Layer 7 data contains botnet command and control
instructions.
Potential Botnet Detected?
This is as far as traditional SIEM can go.

15. Authentication Failures
Perhaps a user who forgot their
password?
Brute Force Password
Attack
Numerous failed login attempts against
different user accounts.
Host Compromised
All this followed by a successful login.
Automatically detected, no custom
tuning required.

16. Sounds Nasty…
But how to we know this?
The evidence is a single click away.
Buffer Overflow
Exploit attempt seen by Snort
Network Scan
Detected by QFlow
Targeted Host Vulnerable
Detected by Nessus
Total Visibility
Convergence of Network, Event and Vulnerability data.

17. Potential Data Loss?
Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail

19. Assessing the risks =
Log management +
Event management +
Network activity monitoring +
Configuration +
Most successful attacks are result of poor
configuration
Configuration audits are expensive, labor intensive
and time consuming
Config files are inconsistent accross the vendors and
product / technology types
Compliance is mandatory in many industries
Vulnerability Assessment +
VA scanners don’t prioritize based on network context
Vulnerability prioritization is historically complex

29. SIEM is a foundation to security management in 21st
Century for provides mostly the post-exploit value
Risk Manager based on SIEM gives detailed assessment of
network security risk using broad risk indicators such as:
WHAT HAS HAPPENED? (from network activity data and
behaviour analysis)
WHAT CAN HAPPEN? (from topology and configuration)
WHAT HAS BEEN ATTEPMTED? (from events and
contect data)
WHAT IS VULNERABLE AND AT RISK? (from scanners)

30. Prediction & Prevention Reaction & Remediation
IBM Security Intelligence
Simulation of incidents
Error & anomaly detection
Attack path visualization
Compliance automation
Risk Assessment
Continuous real time audit
Single console
Integrated Intelligence
Vizualization
Highest level of protection

32. Predict
Risk
Detect
Insider
Fraud
Consolidate
Data Silos
Exceed
Regulation Mandates
Detect
Threats
Others
Miss

34. www.dss.lv
andris@dss.lv / raivis@dss.lv