Presentation from "International Data Protection Day" IT Security seminary on 28th of January, 2014, organized by "Data Security Solutions", IBM Security Systems partner in the Baltic States.

1. SIEM – silver bullet to ITSEC
Data Security
Solutions
Certified IBM
Business Partner for
IBM QRADAR
Security Intelligence
Park Hotel Maritim
28.01.2014

2. “Data Security Solutions” specializes
Specialization – IT Security
IT Security consulting
(vulnerability
assessment
tests, security audit, new
systems integration, HR
training, technical support)
Innovative & selected
software / hardware & hybrid
solutions
from
leading
technology vendors from
over 10 different countries

3. Agenda
SIEM – Silver bullet to ITSEC
QRadar Security Intelligence
SIEM Use Cases
Qradar v.7.2 update & integrations

4. SIEM – heart of your security system
Security information includes log data generated from
numerous sources, including antivirus software,
intrusion-detection systems (IDS), intrusion-prevention
systems (IPS), file systems, firewalls, routers, servers
and switches.
Monitor events in real time.
Display a real-time view of activity.
Aggregate data.
Provide automated incidence response.
Correlate data from multiple sources.
Send alerts and generate reports.

5. SIEM – SIM & SEM
Security event management (SEM),
which provides real-time monitoring for
security events;
Security information management
(SIM), which provides log management
and reporting for security-related events.

6. Immediate Problems
The cost and complexity of purchasing and
managing storage and monitoring systems
Difficulty accessing huge amounts of data
Limited ability to make queries against historic
log data
Keeping pace with changing user behavior
outside the control of IT (e.g., mobile computing
and communication devices, and the
pervasiveness of social media)
Loss of data fidelity

7. Opportunities To Add New Capabilities
Deep, historical analysis of security events over long
periods (years...not days)
Large-scale investigations to detect advanced
persistent threats
More rapid response to compliance and regulatory
inquiries
Establishing benchmarks for employee, contractor,
supplier and partner behavior in regards to data access,
and measuring variations from those benchmarks
Defining and implementing best practices for
information security management and compliance
reporting
Automated filtering of vast log data to isolate
suspicious event patterns meriting manual investigation

8. Goal of Next-generation SIEM
IT & Network Identity
Management
Operations
Operational
Security
Log management
Compliance reporting
Real-time monitoring
Incident response
Forensic investigation
Log
Tool
Log
Silo
Governance &
Compliance
?
?
? ???
?
?
?? ?? ? ???
? ? ???
?? ? ?
Log Jam
?? ? ?
?
??
? ??
? ??
???
??LOGS
?
??
?
Network
Servers
Databases
???
??
Homegrown
Applications
?

9. Qradar security intelligence

10. QRadar Family
Log
Management
SIEM
Risk
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
• Turnkey log management
• SME to Enterprise
• Upgradeable to enterprise SIEM
•
•
•
•
Integrated log, threat, risk & compliance mgmt.
Sophisticated event analytics
Asset profiling and flow analytics
Offense management and workflow
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat visualization and impact
analysis
• Network analytics
• Behavior and anomaly detection
• Fully integrated with SIEM
• Layer 7 application monitoring
• Content capture
• Physical and virtual environments

11. QRadar All In One

12. QRadar Distributed Deployment

13. Qradar security intelligence
AppScan and QRadar Integration
Guardium and QRadar Integration
QRadar Risk Manager and SIEM
QRadar vulnerability manager
Other IBM Security Systems

14. AppScan and Qradar Integration
AppScan® Enterprise offers advanced application
security testing and risk management with a platform
that drives governance, collaboration and security
intelligence throughout the application lifecycle.

15. Guardium and Qradar Integration
Guardium offers insight into both database activity on
the network, such as data transfer, and also on local
database and privileged user activity.

16. Qradar Risk Manager and SIEM
QRadar Risk Manager adds many key proactive
security intelligence capabilities designed to help IT
security teams minimize network breaches by reducing
their attack surfaces. Some specific abilities include:
Depicts network topology views; visualizes and assesses risk based on
real-time threat environment, vulnerability posture, and network
configurations
Identifies missing, weak, inefficient and unnecessary firewall rules and
IPS signatures, reducing risk and improving firewall performance
Supports policy compliance for network traffic, topology and vulnerability
exposures
Improves QRadar forensics including determination of offense root cause
and visualization of offense attack paths
Collects firewall, switch, router and IPS/IDS configuration data, which
when combined with discovery of network routes and neighbor information
allows a network topology model to be created.

17. Qradar Vulnerability Manager
QRadar Vulnerability Manager combines automated
vulnerability scanning with a superior understanding of
device configurations, network topology and traffic patterns
to help security teams enact proactive protection measures
in an optimal fashion.
Key integrations for QRadar Vulnerability Manager
include:
Qradar Risk Manager
IBM Security SiteProtector System
X-Force threat intelligence feed
IBM Endpoint Manager
IBM Security AppScan
IBM InfoSphere Guardium Vulnerability Assesment

18. SIEM Use Cases WordCloud

19. SIEM Use Cases Definition
Requirements
Scope
Event Sources
Response

20. Your Use Case
Build YOUR own use case!
React faster
Improve Efficiency
Automate Compliance

21. Use Cases
Vulnerability Correlation
Suspicious Access Correlation
Flow and Event Combo Correlation
Botnet Application Identity
VMware Flow Analysis
Unidirectional Flows Detection
Vulnerability Reporting
Data Loss Prevention
Double Correlation
Policy and Insider Threat Intelligence (Social Media Use
Case)

22. Use Cases
Detecting Threats or Suspicious Changes in Behaviour
Preventative Alerting and Monitoring
Compliance Monitoring
Client-side vulnerability correlation
Excessive Failed Logins to Compliance Servers
Remote Access from Foreign Country Logons
Communication with Known Hostile Networks
Long Durations
Multi-Vector Attack
Device stopped sending Data (Out of Compliance)

23. Social Media Intelligence
Problem:
Social media is an increasing threat to an organization's policies and network;
company employees are the ones who are most likely to fall victim to social
engineering based threats, and serve as entry points for Advanced Persistent
Threats.
Solution: Social media Monitoring& Correlation in real-time:
Qradar’s real-time monitoring and correlation of hundreds of social media sites, such
as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware
insight and identifies social media-based threats by user and application.

24. Social Media Intelligence
With Qradar, you can:
Identify the user responsible for
the data leak.
With Qradar, you can:
Identify all the source,
destination and the actual
corporate credit card number
leaked.

25. Data Loss Prevention
Customer Requirement:
Customer wants to detect when an employee may be stealing customer
contact info in preparation for leaving the company
Solution:
Baseline employee access to CRM
Detect deviations from norm: 1,000 transactions (access to customer
records) vs normal 50 per day
BUT…what if the user is tech savvy or has a geek nephew, and makes
a single SQL query to the back end database?
Profile network traffic between workstations and back-end database or
policy shouldn’t allow direct access to database from workstations

26. Data Loss Prevention
Potential Data Loss?
Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail

27. Indavertent Wrongdoing
A/V Server
Trying to update the
entire internet
Issue bubbled to the
top of the offense
manager immediately
post-installation
Problem had existed for
months, but was lost in
firewall logs.
A/V clients were badly
out of date.

28. System Misconfiguration
QRadar reports remote sources scanning internal SQL servers
Firewall admin insists QRadar is incorrect – absolutely no inbound
SQL traffic permitted.
But … months earlier user had requested access to SQL server from
outside campus
Administrator fat-fingered the FW rule and unintentionally allowed
SQL access to & from all hosts

29. Teleportation
Customer Requirement:
Customer wanted to detect users that logged in from IP addresses in
different locations simultaneously.
Solution:
 Create rule to test for 2 or more logins from VPN or AD from different
country within 15 minutes
 Can be extended to check for local login within corporate network and
simultaneous remote login

30. Purell for your VPN
Customer Requirement:
Customer wanted to detect when external systems over the VPN
accesses sensitive servers
Customer was concerned that external system could be infected /
exploited through split tunneling and infect sensistive internal servers
Solution:
 Use latest VA scan of user systems
 Create BB of OSVDB IDs of concern
 Detect when external systems with vulnerabilities access sensitive
servers

31. Uninvited Guests
Customer Requirement:
Wants to identify new systems attached to network. There are active wall
jacks throughout building
Solution:
Set asset database retention to just beyond DHCP lease time (1-2
days)—user out of office/on vacation, asset expires
New machine attaches, rule alerts
Flows for real-time detection: no other SIEM can do this
Can alert on VA import
In 7.0, can build up MAC list in reference sets (~2 wks), then alert
when new MAC appears on network

32. Policy Vialation / Resource Misuse
Customer Requirement:
Detect if there are P2P Server located in Local Area Network

33. Communication to known Bot C&C
Customer Requirement:
Detect if any of internal system is communicating to known Bot
Command and Contrlol

34. Forensic of Administrative Change
Customer Requirement:
New User account creation with administrative privileges
System registry change, Application Installed/Uninstalled
Password reset
Service started/stopped

35. Vulnerability Overview
Customer Requirement:
Generate weekly report for Vulnerabilities

36. Use Cases Summary
Identify the goal for each
event correlation rule (and
use case).
Determine the conditions
for the alert.
Select the relevant data
sources.
Test the rule.
Determine response
strategies, and document
them.

37. Qradar v. 7.2 update
Enhanced asset and vulnerability functionality
Centralized license management
Multicultural support (languages)
Improved bar and pie charts on the Dashboard tab
Data obfuscation
Identity and Access Management (IAM) integration
Browser support
Java 7 support
1500 + reports
New ―QRadar 2100 Light‖ appliance

38. QRadar Vulnerability Scaner
Solution Highlights
New
Unique VA solution integrated
with Security Intelligence
context/data
Providing unified view of all
vulnerability information
Dramatically improving
actionable information through
rich context
Reducing total cost of ownership
through product consolidation
Log
Manager
SIEM
Network
Activity
Monitor
Risk
Manager
Vulnerability
Manager

39. QRadar Vulnerability Manager Integration
New tab in QRadar
Two new deployable components
- QVM Console
• Scan definitions, scan scheduling engine, scan
results
- QVM Scanner
Third component hosted by IBM
- Hosted Scanner, scans a customers DMZ from the
internet

40. QRadar 2100 All-In-One Light
This appliance is an all-in-one appliance that provides
the abilities of the QRadar 2100 appliance
Supports 500 Events Per Second (EPS) instead of 1,000
EPS
Includes Built-in Qflow collector for Layer7 analysis
Upgradeable

41. Q/A
www.dss.lv
info@dss.lv / andris@dss.lv
+371 29162784
+371 26113545