DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

IBM Security Systems

Security strategies to
stay out of the
headlines

Q1 Labs, an IBM Company

Andris Soroka, Data Security Solutions

Q1 Labs 1st Certified Partner in Baltics

© 2012 IBM Corporation
1 © 2012 IBM Corporation


Who we are – specialization security:
Innovative & selected software / hardware
& hybrid solutions from leading technology
vendors from over 10 different countries

IT Security consulting (vulnerability
assessment tests, security audit, new
systems integration, HR training, technical
support)

First in Baltics who had integrated several
innovative IT Security solutions that no one
before has done

First Certified Q1 Labs Partner in the
Baltic States and now IBM Business
Partner continuing working with IBM
Security Portfolio



According to the 2011 Verizon Data Breach Report,
86 percent of breached organizations failed to detect
that their networks were hacked.



Headlines change, cybercrime increases
1995 – 2005 2005 – 2015
1st Decade of the Commercial Internet 2nd Decade of the Commercial Internet

Motive
Nation-state Actors;
National Security Targeted Attacks /
Advanced Persistent Threat
Espionage,
Competitors, Hacktivists
Political Activism

Monetary Gain Organized Crime, using sophisticated tools

Revenge Insiders, using inside information

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Adversary



What happens in IT security world? Maze..

Around 1500 IT Security vendors for
Endpoint Security
Platforms and point solutions
Data Security
DLP suites and point solutions
Network Security
Gateway solutions
NAC, visibility, NBA
Authentication, authorization etc.
Traditional and next generation’s
Identity protection
Virtualization and cloud security
IT Security governance
Operational management & Security
Mobile Security



What do we propose?

Security Intelligence
--noun
1. the real-time collection, normalization, and analytics of
the data generated by users, applications and
infrastructure that impacts the IT security and risk
posture of an enterprise

Security Intelligence provides actionable and comprehensive insight for managing
risks and threats from protection and detection through remediation.



What logs –
Audit logs
Transaction logs
Operational IT & Network Identity Governance &
Intrusion logs Security Operations Management Compliance

Connection logs Log

System performance records
Tool Log
Silo ?
User activity logs ? ? ? ????
Different systems alerts and ? ? ? ??
? ? ? ????
different other systems messages ? ?
? ?
Log Jam ? ? ??
From where - ?
Firewalls / Intrusion prevention ? ? ? ????
? ? ?
? ?????
Routers / Switches ? ?? ?
Intrusion detection ? LOGS
??
?
Servers, desktops, mainframes
Business applications
Databases Network Servers Databases Homegrown
Antivirus software Applications
VPN’s

You cannot control what You cannot see!


Fully Integrated Security Intelligence
• Turnkey log management
Log • SME to Enterprise
Management • Upgradeable to enterprise SIEM
One Console Security

• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
SIEM • Asset profiling and flow analytics
• Offense management and workflow

• Predictive threat modeling & simulation
Risk • Scalable configuration monitoring and audit
Management • Advanced threat visualization and impact analysis

Network
• Network analytics
Activity &
• Behavior and anomaly detection
Anomaly • Fully integrated with SIEM
Detection

Network and
Application
Built on a Single Data Architecture
• Layer 7 application monitoring
• Content capture
Visibility • Physical and virtual environments



Fully Integrated Security Intelligence

• Turnkey log management
Log • SME to Enterprise
Management • Upgradeable to enterprise SIEM

• Integrated log, threat, risk & compliance mgmt.
• Sophisticated event analytics
SIEM • Asset profiling and flow analytics
• Offense management and workflow

• Predictive threat modeling & simulation
Risk • Scalable configuration monitoring and audit
Management • Advanced threat visualization and impact analysis

Network
• Network analytics
Activity &
• Behavior and anomaly detection
Anomaly • Fully integrated with SIEM
Detection

Network and • Layer 7 application monitoring
Application • Content capture
Visibility • Physical and virtual environments



Q1 Labs- The Security Intelligence Leader

Who is Q1 Labs:
 Innovative Security Intelligence software company
 One of the largest and most successful SIEM vendors
 Leader in Gartner Magic Quadrant (2009-2012)

Award-winning solutions:
 Family of next-generation Log Management, SIEM, Risk Management,
Security Intelligence solutions

Proven and growing rapidly:
 Thousands of customers worldwide
 Five-year average annual revenue growth of 70%+

Now part of IBM Security Systems:
 Unmatched security expertise and breadth of integrated capabilities



Security Intelligence
Use Cases



Clear & concise delivery of the most relevant information …

What was the
attack?

Was it
Who was successful?
responsible?

Where do I find
them? How valuable are
How many they to the
targets business?
involved?

Are any of
them
vulnerable?

Where is all
the evidence?



Total Security Intelligence:
How do we address the challenges?

 Reduce Big Data
 Detect Advanced Persistent Threats
 Predict attacks
 Manage risk



Big Data: Reduce your data silo down



Reducing Data Silos: How it looks in QRadar
Single incident
derived from ~20k
events and 355
flows

 QRadar automatically pulls all related
events and flows into a single security
incident
 Highlights the magnitude / importance
 Reduction into manageable daily
number




 Reduce Big Data
 Predict attacks
 Manage risk



Anatomy of an APT: Communications Company
3rd Party
Software Update Server
Compromised
Trojan “auto-updated”
to Corporate network

Port 8080 used for C&C
activities
35M records stolen
Attackers
create Trojan

60+ Corporate
computers infected Attackers
w/ backdoor agentcreate Trojan

–6 Months Day 0 Day 8


Activity / Behaviour Monitoring, Flow Analytics, Anomaly
Detection
 Behaviour / activity base
lining of users and processes
 Helps detect day-zero
attacks and covert channels
that have no signature or AV
/ IPS detection
 Provides definitive evidence
of attack
 Enables visibility into attacker
communications

Network traffic does not lie
Attackers can stop logging and erase their tracks, but can’t cut off the network (flow data)


Activity and data access monitoring

Visualize Data Risks
Automated charting and reporting
on potential database breaches

Correlate Database and
Other Network Activity
Enrich database security alerts
with anomaly detection and flow
analysis

Better Detect Serious Breaches
360-degree visibility helps distinguish true
breaches from benign activity, in real-time



Anomaly Detection & APTs

User & Application Activity Monitoring alerts to a user anomaly for
Oracle database access.

Identify the user, normal
access behavior and the
anomaly behavior with all
source and destination
information for quickly resolving
the persistent threat.



Stealthy malware detection

Potential Botnet Detected?
This is as far as traditional SIEM can go

IRC on port 80?
QFlow detects a covert channel,
using Layer 7 flows and deep
packet inspection

Irrefutable Botnet Communication
Layer 7 flow data shows botnet
command and control instructions




 Reduce Big Data
 Predict attacks
 Manage risk



The Security Intelligence Timeline: Proactive vs Headlines



Predicting an Attack: How it looks in QRadar
Multiple IP’s attack an IP

Drilling into one
superflow record
shows all IP records
contributing to the
attack

All pulled together in one offence which is detected and
raised immediately to the security team



 Reduce Big Data
 Predict attacks
 Manage risk



Managing risk

CISOs know it’s not if, it’s when they get hacked; yet there is still a gap in ability to
detect breach.
 Breaches are taking longer to discover
 Breaches are not being discovered internally

28Charts from Verizon 2011 Investigative Response Caseload Review © 2012 IBM Corporation


How it looks in QRadar

Potential Data Loss?
Who? What? Where?

Who?
An internal user

What?
Oracle data

Where?
Gmail



QRadar: The Most Intelligent, Integrated,
Automated Security Intelligence Platform

• Proactive threat management
• Identifies most critical anomalies
• Rapid, complete impact analysis

• Eliminates silos • Easy deployment
• Highly scalable • Rapid time to value
• Flexible, future-proof • Operational efficiency



What to do next?

 Visit our stand

 Download the Gartner SIEM Critical Capabilities Report
http://q1labs.com/resource-center/analyst-reports/details.aspx?id=151

 Read our blog http://blog.q1labs.com/

 Follow us on Twitter: @q1labs @ibmsecurity



ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will
32 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT © 2012 IBM Corporation
WARRANT
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence

Semelhante a DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence (20)

Mais de Andris Soroka

Mais de Andris Soroka (20)

Último

Último (20)

DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence