1.
IBM QRadar Security
Intelligence Overview
SECURITY INTELLIGENCE AND SENSE ANALYTICS PROTECTS ASSETS FROM ADVANCED
THREATS

2.
2 IBM Security
Today’s challenges – drive QRadar strategy
Escalating Attacks Resource Constraints
• Increasingly sophisticated
attack methods
• Disappearing perimeters
• Accelerating security
breaches
• Constantly changing
infrastructure
• Too many products from
multiple vendors; costly
to configure and manage
• Inadequate and ineffective
tools
• Struggling security teams
• Too much data with limited
manpower and skills to
manage it all
• Managing and monitoring
increasing compliance
demands
Spear Phishing
Persistence
Backdoors
Designer Malware
Increasing Complexity Resource Constraints

3.
3 IBM Security
Providing actionable intelligence
IBM QRadar
Security Intelligence
Platform
AUTOMATED
Driving simplicity and
accelerating time-to-value
INTEGRATED
Unified architecture
delivered in a single console
INTELLIGENT
Correlation, analysis and
massive data reduction

4.
4 IBM Security
Driving simplicity and accelerated time to value
QRadar’s ease-of-use in set-up and maintenance
resulted in reduced time to resolve network
issues and freed-up IT staff for other projects.
Private U.S. University
with large online education community
Immediate
discovery
of network assets
Proactive vulnerability
scans, configuration
comparisons, and policy
compliance checks
Simplified
deployment
Automated configuration
of log data sources
and asset databases
Automated
updates
Stay current
with latest threats,
vulnerabilities,
and protocols
Out-of-the-
box rules and
reports
Immediate time
to value with built-in
intelligence
IBM QRadar is nearly three times
faster to implement across the
enterprise than other SIEM solutions.
2014 Ponemon Institute, LLC
Independent Research Report

5.
5 IBM Security
Ask the right questions
Security Intelligence
The actionable information derived from the analysis
of security-relevant data available to an organization
What was the impact
to the organization?
What security incidents
are happening right
now?
Are we configured
to protect against
advanced threats?
What are the major risks
and vulnerabilities?
• Gain visibility over the organization’s
security posture and identity security gaps
• Detect deviations from the norm
that indicate early warnings of APTs
• Prioritize vulnerabilities to optimize
remediation processes and close critical
exposures before exploit
• Automatically detect threats with prioritized
workflow to quickly analyze impact
• Gather full situational awareness
through advanced security analytics
• Perform forensic investigation reducing time
to find root-cause; use results to drive faster
remediation
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-ExploitVulnerability Pre-Exploit
PREDICTION / PREVENTION PHASE

6.
6 IBM Security
Ask the right questions
Vulnerability
Manager
Risk
Manager
SIEM Log
Manager
Incident
Forensics
What was the impact
to the organization?
What security incidents
are happening right
now?
Are we configured
to protect against
advanced threats?
What are the major risks
and vulnerabilities?
• Gain visibility over the organization’s
security posture and identity security gaps
• Detect deviations from the norm
that indicate early warnings of APTs
• Prioritize vulnerabilities to optimize
remediation processes and close critical
exposures before exploit
• Automatically detect threats with prioritized
workflow to quickly analyze impact
• Gather full situational awareness
through advanced security analytics
• Perform forensic investigation reducing time
to find root-cause; use results to drive faster
remediation
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-ExploitVulnerability Pre-Exploit
PREDICTION / PREVENTION PHASE

7.
7 IBM Security
Embedded intelligence offers automated offense identification
Suspected
IncidentsServers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Automated
Offense
Identification
• Unlimited data collection,
storage and analysis
• Built in data classification
• Automatic asset, service and
user discovery and profiling
• Real-time correlation
and threat intelligence
• Activity baselining
and anomaly detection
• Detects incidents
of the box
Embedded
Intelligence
Prioritized Incidents

8.
8 IBM Security
Answering questions to help prevent and remediate attacks

9.
9 IBM Security
Extend clarity around incidents with in-depth forensics data
Suspected
Incidents
Directed Forensics Investigations
• Rapidly reduce time to resolution
through intuitive forensic workflow
• Use intuition more than technical training
• Determine root cause and prevent
re-occurrences
Embedded
Intelligence
Prioritized Incidents

10.
10 IBM Security
IBM Security App Exchange
A Platform for
Security Intelligence
Collaboration
Single collaboration platform for rapidly delivering
new apps and content for IBM Security solutions
Enable rapid innovation
Single Platform
for Collaboration
Access
Partner Innovations
Certified
Security Apps
Allows QRadar users and partners to
deploy new use cases in an accelerated way
Quickly Extend
QRadar Functionality

11.
11 IBM Security
Enabling comprehensive extensions and 3rd party integration
through the QRadar Application Framework
QRadar API Components NEW
New open API for rapid innovation and creation
Insider Threats Internet of
Things
Incident Response
Cybersecurity
Use Cases
 Market, technology, business specific
 Seamlessly integrated workflow
 Economic and operational benefit
 More flexibility and less complexity

12.
12 IBM Security
IBM zSecure IBM Security AppScan
IBM Security Network
Protection XGS
IBM Security
Access Manager
IBM Security Privileged
Identity Manager
IBM InfoSphere
Guardium
IBM Security
Identity Manager
IBM Security Directory
Server and Integrator
IBM Endpoint Manager
IBM Trusteer Apex
IBM QRadar is the centerpiece of IBM security integration
IBM QRadar
Security Intelligence
Platform

13.
13 IBM Security
IBM QRadar supports hundreds of third-party products
IBM QRadar
Security Intelligence Platform

14.
14 IBM Security
Flexible appliance, virtual, software and cloud architecture for
high performance and rapid deployment
IBM QRadar
Security Intelligence Platform
• Easy-to-deploy, scalable
model using stackable
distributed appliances
• Does not require
third-party databases
or storage
Scalable appliance
architecture
• Offers automatic failover and
disaster recovery
• Hardware, Software, Virtual
deployments
• Cloud, on-premise and hybrid
deployment
• Perpetual, Rental and SAAS
options
Shared modular
infrastructure

15.
15 IBM Security
Key Security Trends
IBM Security Portfolio
Advanced
Threats
Skills
Shortage
Cloud
Adoption
Mobile
Concerns
Compliance
Mandates
Our strategy is to provide integrated solutions to the market
Consulting and Managed Services Integrated Security Technologies
Security Intelligence and Operations Security Intelligence and Analytics
Strategy,
Risk and Compliance
Cloud and
Managed Services
Advanced Fraud Protection
Identity and Access
Management
Services
Data and
Application
Security
Services
Cybersecurity
Assessment
and Response
Identity
and Access
Management
Data
Security
Application
Security
Infrastructure
and Threat
Protection
Advanced Threat and Security Research

16.
16 IBM Security
Example deployment
• SIEM Replacement
 Ability to view Real Time Alerts while maintaining Searching capabilities on
legacy data
 Addition of Network Flow visibility. Where is the IP coming from and attempting
to go
 Configured and Deployed in less than 45 Days
 12 Million Flows , 280,000 Log Sources
 40 Unique Log Source Types across the enterprise
• FireEye, BlueCoat Proxy, Firewalls, Windows, Linux
 Over 5 Billion events being consumed daily
• Other Highlights
 Within first 45 Days saw misconfigured devices
 Able to quickly utilize external feeds "Reference Sets“ of known Indicators of
Compromise "IOC's“
 Routers pinging Chinese Address Space

17.
17 IBM Security
An integrated, unified architecture in a single
web-based console
Log
Management
Security
Intelligence
Network
Activity
Monitoring
Risk
Management
Vulnerability
Management
Network
Forensics

18.
18 IBM Security
Intelligence, integration, automation to stay ahead of the threat
Identify and quickly
remediate
Deploy comprehensive security
intelligence and incident forensics
Detect insider fraud
Adopt next-generation SIEM
with identity correlation
Address regulation
mandates
Automate data collection
and configuration audits
Consolidate
data silos
Collect, correlate and report on
data in one integrated solution
Better predict
business risks
Engage entire lifecycle of risk
management for network
and security infrastructures

19.
Additional Value
QRADAR

20.
20 IBM Security
Security Intelligence platform that enables
security optimization through advanced threat
detection, meet compliance and policy demands
and eliminating data silos
Portfolio Overview
QRadar Log Manager
• Turnkey log management for SMB and Enterprises
• Upgradeable to enterprise SIEM
QRadar SIEM
• Integrated log, flow, threat, compliance mgmt
• Asset profiling and flow analytics
• Offense management and workflow
Network Activity Collectors (QFlow)
• Network analytics, behavior and anomaly detection
• Layer 7 application monitoring
QRadar Risk Manager
• Predictive threat modeling & simulation
• Scalable configuration monitoring and audit
• Advanced threat and impact analysis
QRadar Vulnerability Manager
• Integrated Network Scanning & Workflow
• Leverage SIEM, Threat, Risk to prioritize
vulnerabilities
QRadar Incident Forensics
• Reconstruct raw network packets to original format
• Determine root cause of security incidents and help
prevent recurrences
QRadar Product Portfolio

21.
21 IBM Security
Addressing organizations’ growing cloud security requirements
Increasingcloudadoption
Serviced from
the cloud
Manage from
the cloud
Utilize
the cloud
Collect from
the Cloud
 A cloud-based hybrid SI deployment managed
from the cloud
 Unified view of on-prem and cloud-based
security data
 Cloud-based SI as a Service delivering a
managed and unified view of operations
 On-prem security data forwarded to the cloud &
synthesized with security data from cloud assets
 On-premises hybrid SI deployment that
optimally leverages cloud resources
 Extended data retention periods and
expanded analytical resources
 On-premises SI extending visibility into cloud
applications and infrastructure
 Unified security view of on-premise and cloud
operations

22.
22 IBM Security
 Network traffic doesn’t lie. Attackers can stop logging and erase
their tracks, but can’t cut off the network (flow data)
• Deep packet inspection for Layer 7 flow data
• Pivoting, drill-down and data mining on flow sources for advanced
detection and forensics
 Helps detect anomalies that might otherwise get missed
 Enables visibility into attacker communications
QRadar QFlow - Differentiated by network flow analytics

23.
23 IBM Security
QRadar QFlow fully supports five key use cases
• Detection of zero-day threats through traffic profiling
Detection of malware and virus/worm activity through behavior profiling and anomaly
detection across all network traffic (applications, hosts, protocols, areas of the network)
• Compliance with policy and regulatory mandates via deep analysis of
application data and protocols
Alerting on out-of-policy behavior and traffic, such as traffic being sent to untrustworthy
geographical regions or unsecure protocols
• Social media monitoring
Anomaly detection and DPI-based content capture that identify and alert on social
media-related threats and risks
• Advanced incident analysis via correlation of flow data with log data
Accurate prioritization of incident data and reduction of false positives by correlating
security events with actual network traffic
• Continuous profiling of assets
Collection and monitoring of continuous information feed from hosts, assets and
services, allowing QRadar SIEM to automatically identify and classify new assets and
discover what ports and services they are running

24.
24 IBM Security
Log
Manager
SIEM
Network
Activity
Monitor
Risk
Manager
QRadar QVM
Questions remain:
• Has that been patched?
• Has it been exploited?
• Is it likely to be exploited ?
• Does my firewall block it?
• Does my IPS block it?
• Does it matter?
Existing VMs
 Reduces data load
– Bringing rich context to
Vulnerability Management
 Improves visibility
– Intelligent, event-driven
scanning, asset discovery,
asset profiling and more
 Breaks down silos
– Leveraging all QRadar
integrations and data
– Unified vulnerability view
across all products
Introducing QRadar Vulnerability Manager
Vulnerability
Manager

25.
25 IBM Security
 Contains an embedded, well proven,
scalable, analyst recognised, PCI
certified scanner
 Detects 70,000+ vulnerabilities
 Tracks National Vulnerability Database
(CVE)
 Present in all QRadar log and flow
collectors and processors
 Integrated external scanner
 Complete vulnerability view supporting
3rd party vulnerability system data feeds
 Supports exception and remediation
processes of VM with seamlessly
integrated reporting and dash boarding
Complete Vulnerability Context and Visibility
Integrated
vulnerability
scanner
Network
discovery
and asset
information
IBM
Security
Context
AppScan
Guardium
Endpoint (BigFix)
Network IPS
X-Force
3rd Party
vulnerability
solutions
e.g. Qualys
Rapid7
Nessus
nCircle
McAfee
QRadar Vulnerability – Integrated Vulnerability Management

26.
26 IBM Security
QRadar Risk Manager – Context driven risk prioritization
 Fully integrated Security Intelligence, and
Risk Management solution
 Most comprehensive risk assessment
covering network usage, configuration
data, vulnerability posture, and current
threat environment
 Powerful, simple to use visualization of
network usage and attack paths
enhancing risk and incident response
 Reduced total cost of ownership through
product consolidation
QRadar Risk Manager enhances Security Intelligence by adding
network topology visualization and path analysis, network device
optimization and configuration monitoring, and improved compliance
monitoring/reporting to QRadar SIEM

27.
27 IBM Security
In 2012, 38% of
targets were
attacked again
once the original
incident was
remediated.
QRadar Incident Forensics – Responding quickly to incidents
Attackers spend
an estimated 243 days
on a victim’s
network before being
discovered
Has our
organization been
compromised?
When was
our security
breached?
How to avoid
becoming a
repeat victim?
What resources and
assets are at risk?
What type of
attack is it?
How do we identify
the attack?

28.
28 IBM Security
Our Security Intelligence platform delivers powerful capabilities IT Security Operations Teams
Tells you exactly when
an incident occurred
Delivers intelligence to
guide forensics
investigations
Merges powerful forensics
capability with simplicity
Next generation network forensics: know what happened, fast
Introducing QRadar Incident Forensics:
Leveraging the strengths of QRadar to optimize the process of investigating
and gathering evidence on advanced attacks and data breaches
• Visually construct threat actor relationships
• Builds detailed user and application profiles across
multiple IDs
• Full packet capture for complete session reconstruction
• Unified view of all flow, user, event, and forensic
information
• Retrace activity in chronological order
• Integrated with QRadar to discover true offenses and
prioritize forensics investigations
• Enables search-driven data exploration to return
detailed, multi-level results in seconds

29.
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
FOLLOW US ON:
THANK YOU