DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011

Ray Menard
2011-11-24

Network Security Monitoring

IBM Confidential © 2011 IBM Corporation


QRadar SIEM
Problem Simply Stated

"Electronic intelligence, valuable though it is in its own way,
serves to augment the daunting volume of information which
is directed at headquarters from satellite and aerial
reconnaissance, intelligence-gathering ships, optical
observation, special forces, armoured reconnaissance
teams, and the interrogation of prisoners. Nowadays the
commander is confronted with too much information, rather
than too little, and it is his informed judgment which
ultimately decides what is relevant and important." [NATO,
The Warsaw Pact and the Superpowers, 2° ed. p. 33
Hugh Farringdon

2 IBM Confidential © 2011 IBM Corporation


QRadar SIEM
Problem Simply Stated

“Network and security information, valuable though it is in its
own way, serves to augment the daunting volume of
information which is directed at network and security
practitioners from firewalls and IDS/IPS, sever logs,
application logs, syslog servers, proxy servers and virus
scanners. Nowadays the security practitioner is confronted
with too much information, rather than too little, and it is his
informed judgment which ultimately decides what is relevant
and important."

Ray Menard plagiarized from Hugh Farringdon



QRadar SIEM
Focus on Prevention

Network and security professionals focus tends to
be on preventing bad things from happening on the
network.
There is a significant amount of spending on tools
designed to prevent bad things from getting in the
network
When things go bad, it is because the network and
security practitioner doesn’t know what they don’t
know.



Q1 Labs Delivers Solutions Across the Entire Compliance and
Security Intelligence Lifecycle

Prediction/ Reaction/
Prevention Phase Exploit Remediation Phase Remediation

Pre-Exploit Post-Exploit

Risk Management , Compliance Management,
SIEM, Network/User Anomaly Detection,
Vulnerability Management, Configuration
Log Management
Management



QRadar SIEM
Network and security professionals need

•Ability to quickly and efficiently analyze large
volumes of information, sorting the wheat from the
chaff
•Complete Network and Security Intelligence
•Flexibility to meet the ever changing more
sophisticated threat
•Ability to do more with less as new requirements are
identified
•Visibility and verification
•Time is an enemy!



QRadar SIEM
Overview
QRadar SIEM provides full visibility and actionable insight
to protect networks and IT assets from a wide range of
advanced threats, while meeting critical compliance
mandates.

Key Capabilities:
• Sophisticated correlation of events, flows, assets, topologies,
vulnerabilities, device configurations and external data to identify &
prioritize threats
• Network flow capture and analysis for deep application insight
• Workflow management to fully track threats and ensure resolution
• Scalable architecture to support the largest deployments



“This principle doesn’t mean you should abandon
your prevention efforts. As a necessary ingredient
of the security process, it is always preferable to
prevent intrusions than to recover from them.
Unfortunately, no security professional maintains a
1.000 batting average against intruders. Prevention
is a necessary but not sufficient component of
security.”
(Bejtlich, 2004)



QRadar SIEM
Key Advantages

• Real-time activity correlation based on advanced in-
memory technology and widest set of contextual data
• Flow capture and analysis that delivers Layer 7 content
visibility and supports deep forensic examination
• Intelligent incident analysis that reduces false positives
and manual effort
• Unique combination of fast free-text search and
analysis of normalized data
• Scalability for world’s largest deployments, using an
embedded database and unified data architecture



QRadar SIEM
Product Tour: Integrated Console

• Single browser-based UI
• Role-based access to
information & functions
• Customizable dashboards
(work spaces) per user
• Real-time & historical
visibility and reporting
• Advanced data mining and drill down
• Easy to use rules engine with out-of-the-box security intelligence



QRadar SIEM
Product Tour: Data Reduction & Prioritization
Previous 24hr period of
network and security
activity (2.7M logs)

QRadar correlation &
analysis of data creates
offenses (129)

Offenses are a complete
history of a threat or
violation with full context
about accompanying
network, asset and user
identity information

Offenses are further
prioritized by business
impact


QRadar SIEM
Product Tour: Intelligent Offense Scoring
QRadar judges “magnitude” of offenses:
• Credibility:
A false positive or true positive?
• Severity:
Alarm level contrasted
with target vulnerability

• Relevance:
Priority according to asset or
network value
Priorities can change over
time based on situational
awareness



QRadar SIEM
Product Tour: Offense Management
Clear, concise and comprehensive delivery of relevant information:

What was
the attack?

Was it
Who was successful?
responsible?

Where do I
find them? How valuable
How many are the targets to
targets the business?
involved?

Are any of them
vulnerable?

Where is all
the evidence?



QRadar SIEM
Product Tour: Free text Search



QRadar SIEM
Product Tour: Out-of-the-Box Rules & Searches
Default log queries/views
1000’s of real-time correlation
rules and analysis tests

100’s of out-of-the-box searches
and views of network activity and
log data
 Provides quick access to critical
information

Custom log fields
 Provides flexibility to extract log
data for searching, reporting and
dashboards. Product ships with
dozens of pre-defined fields for
common devices.



"To lack intelligence is to be in the ring blindfolded."
Former Commandant of the Marine Corps,
General David M. Shoup



QRadar SIEM
Product Tour: Flows for Network Intelligence
• Detection of day-zero attacks that have no signature
• Policy monitoring and rogue server detection
• Visibility into all attacker communication
• Passive flow monitoring builds asset profiles & auto-classifies hosts
• Network visibility and problem solving (not just security related)



QRadar SIEM
Product Tour: Flows for Application Visibility
• Flow collection from native infrastructure
• Layer 7 data collection and analysis
• Full pivoting, drill down and data mining on flow sources for
advanced detection and forensic examination
• Visibility and alerting according to rule/policy, threshold, behavior or
anomaly conditions across network and log activity



QRadar SIEM
Product Tour: Compliance Rules and Reports
• Out-of-the-box templates for
specific regulations and best
practices:
• COBIT, SOX, GLBA, NERC,
FISMA, PCI, HIPAA, UK GCSx

• Easily modified to include new
definitions
• Extensible to include new
regulations and best practices
• Can leverage existing
correlation rules



QRadar SIEM
Use Cases
QRadar SIEM excels at the most challenging use cases:

Complex threat detection

Malicious activity identification

User activity monitoring

Compliance monitoring

Fraud detection and data loss prevention

Network and asset discovery



Use Case: Out of the Box



QRadar SIEM
Use Case: Complex Threat Detection
Problem Statement Required Visibility

• Finding the single needle in • Normalized event data
the ‘needle stack’
• Asset knowledge
• Connecting patterns across
many data silos and huge • Vulnerability context
volumes of information • Network telemetry
• Prioritizing attack severity
against target value and
relevance
• Understanding the impact of
the threat



QRadar SIEM
Restating the Problem

“One of the reasons why the state of information
security is so bad is that it is built on a foundation of
islands of point tools for protection against tactical
threats. Managing these systems is an operational
nightmare. What's more, most of these tools aren't
integrated together, so getting a true picture of the
security posture of the whole business is next to
impossible, which may actually lead to additional
security risks.”
Jon Oltsik ESG



QRadar SIEM
Use Case: Complex Threat Detection
Sounds Nasty…
But how do we know this?
The evidence is a single click
away.

Network Scan Buffer Overflow
Detected by QFlow Exploit attempt seen by Snort

Total Security Intelligence
Targeted Host Vulnerable Convergence of Network, Event and Vulnerability data
Detected by Nessus


QRadar SIEM
Use Case: Malicious Activity Identification
• Distributed infrastructure • Distributed detection sensors
• Security blind spots in the • Pervasive visibility across
network enterprise
• Malicious activity that • Application layer knowledge
promiscuously seeks ‘targets
• Content capture for impact
of opportunity’
analysis
• Application layer threats and
vulnerabilities
• Siloed security telemetry
• Incomplete forensics



QRadar SIEM
Use Case: Malicious Activity Identification

Potential Botnet Detected?
This is as far as traditional SIEM can go.

IRC on port 80?
QFlow enables detection of a covert
channel.

Irrefutable Botnet Communication
Layer 7 data contains botnet command and control
instructions.



QRadar SIEM
Use Case: User Activity Monitoring

• Monitoring of privileged and • Centralized logging and
non-privileged users intelligent normalization
• Isolating ‘Stupid user tricks’ • Correlation of IAM information
from malicious account activity with machine and IP
• Associating users with addresses
machines and IP addresses • Automated rules and alerts
focused on user activity
• Normalizing account and user
monitoring
information across diverse
platforms



QRadar SIEM
Use Case: User Activity Monitoring
Authentication Failures
Perhaps a user who forgot his/her
password?

Brute Force Password
Attack
Numerous failed login attempts against
different user accounts

Host Compromised
All this followed by a successful login.
Automatically detected, no custom
tuning required.


QRadar SIEM
Use Case: Fraud & Data Loss Prevention

• Validating your monitoring • Application layer visibility
efforts against compliance • Visibility into network
requirements segments where logging is
• Ensuring that compliance problematic
goals align with security goals
• Logs alone don’t meet
compliance standards



QRadar SIEM
Use Case: Fraud & Data Loss Prevention
Potential Data Loss?
Who? What? Where?

Who?
An internal user

What?
Oracle data

Where?
Gmail



QRadar SIEM
Use Case: Network and Asset Discovery
Problem Statement Required Capability
• Integration of asset information • Real-time knowledge of all
into security monitoring assets on a network
products is labor intensive
• Visibility into asset
• Assets you don’t know about communication patterns
pose the greatest risk
• Classification of asset types
• Asset discovery and
classification is a key tenet of • Tight integration into pre-
many compliance regulations defined rules

• False positive noise
jeopardizes effectiveness of a
SIEM solution



QRadar SIEM
Use Case: Network and Asset Discovery
Automatic Asset Discovery
Creates host profiles as network activity is
seen to/from

Passive Asset Profiling
Identifies services and ports on hosts by
watching network activity

Server Discovery
Identifies & classifies server infrastructure
based on these asset profiles

Correlation on new assets & services
Rules can fire when new assets and
services come online

Enabled by QRadar QFlow and
QRadar VFlow


QRadar SIEM
Intelligent, Integrated and Automated

• Intelligent offense management
• Layer 7 application visibility
• Identifies most critical anomalies

• Distributed architecture
• Easy deployment
• Highly scalable
• Rapid time to value
• Analyze logs, flows,
• Operational efficiency
assets and more



QRadar SIEM
Architecture
Console
• Major components can be
distributed to separated
appliances
• All centrally managed from the
Console
• Event and Flow collection Processor(s)
• Rule Correlation
• Data Storage
• Data Retrieval

Collector(s)



QRadar SIEM
Architecture: All-In-One



QRadar SIEM
Architecture: Distributed



QRadar SIEM
Architecture: Global



QRadar Family
Intelligent, Integrated, Automated

QRadar QRadar
QRadar QRadar QRadar
Log Risk
SIEM QFlow VFlow
Manager Manager

Security Intelligence Operating System

Providing complete network and security intelligence,
delivered simply, for any customer



"In the future everyone will be world-famous for fifteen
minutes“
Andy Warhol



Thank you!


DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Destaque

Destaque (15)

Semelhante a DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011

Semelhante a DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011 (20)

Mais de Andris Soroka

Mais de Andris Soroka (20)

Último

Último (20)

DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next generation SIEM - Riga NOV 2011