IBM Security
QRadar SIEM Foundations

Keep learning:
IBM Security Learning Academy for Tech Sellers
Visit https://www.securitylearningacademy.com and select “Technical Sales Education”
 Over 24 self-paced learning activities and online
courses with new offerings added regularly
 Roadmaps by SOAR & IRP and productsegment
 Go from beginner to advanced at your own pace

3 IBM Security
Course Outline
• Introduction to IBM QRadar
• Qradar Data Flow Architecture Overview
• Deployment, Licensing and Appliance Types
• Navigate the user interface
• Dashboard, Data Sources, Building a Search, Offenses
• Reports, Rules and Managing Assets & Reference Data Collections
• DSM Editor
• Tuning Overview
• Sizing/Scope Overview

Introduction to QRadar

5 IBM Security
Why do we need Security Intelligence and a security immune system?
COMPLIANCE
HUMAN
ERROR
SKILLS GAP
ADVANCED
ATTACKS
INNOVATION

6 IBM Security
Attackers break through conventional safeguards every day
$7M
average cost of a U.S. data
breach
average time to identify data breach
201days
2014
1+ Billion records
2015
Unprecedented
Impact
2016
4+ Billion records

7 IBM Security
How do I get started when all I see is chaos?

8 IBM Security
An integrated and intelligent security immune system
Criminal detection
Fraud protection
Workload
protection
Cloud access
security broker
Access management
Entitlements and roles
Privileged identity management
Identity management
Data access control
Application security management
Application scanning
Data monitoring
Device management
Transaction protection
Content security
Malware protection
Endpoint detection
and response
Endpoint patching
and management
Virtual patching
Firewalls
Network forensics and threat management
Sandboxing
Network visibility and segmentation
Indicators of compromise
IP reputation Threat sharing
Vulnerability management Incident response
User behavior analysis
Threat hunting and investigation
Cognitive security
Threat and anomaly detection

9 IBM Security
SECURITY TRANSFORMATION SERVICES
Management consulting | Systems integration | Managed security
MaaS360 Trusteer Mobile
Trusteer Rapport
Trusteer Pinpoint
INFORMATION RISK
AND PROTECTION
AppScan
Guardium
Cloud Security
Privileged Identity Manager
Identity Governance and Access
Cloud Identity Service
Key Manager
zSecure
IBM security immune system portfolio
X-Force Exchange
QRadar Incident Forensics
BigFix QRadar Network Security (XGS)
App Exchange
SECURITY OPERATIONS
AND RESPONSE
QRadar Vulnerability / Risk Manager Resilient Incident Response
QRadar User Behavior Analytics
i2 Enterprise Insight Analysis
QRadar Advisor with Watson
QRadar SIEM

10 IBM Security
The QRadar Ecosystem – Intelligent Detection
• Predict and prioritize security weaknesses
̶ Gather threat intelligence information
̶ Manage vulnerabilities and risks
̶ Augment vulnerability scan data with context for optimized prioritization
̶ Manage device configurations (firewalls, switches, routers, IPS/IDS)
• Detect deviations to identify malicious activity
̶ Establish baseline behaviors
̶ Monitor and investigate anomalies
̶ Monitor network flows
• React in real time to exploits
̶ Correlate logs, events, network flows, identities, assets, vulnerabilities, and configurations, and add
context
̶ Use automated and cognitive solutions to make data actionable by existing staff

11 IBM Security
What is Security Intelligence?
Security Intelligence
--noun
The real-time collection, normalization,
and analytics of the data generated by
users, applications, and infrastructure that
impacts the IT security and risk posture of
an enterprise

12 IBM Security
Ask the right questions – The exploit timeline
What was the impact
to the organization?
What security incidents
are happening right now?
Are we configured
to protect against
advanced threats?
What are the major risks
and vulnerabilities?
• Gain visibility over the organization’s security posture
and identify security gaps
• Detect deviations from the norm that indicate early
warnings of APTs
• Prioritize vulnerabilities to optimize remediation
processes and close critical exposures before exploit
• Automatically detect threats with prioritized
workflow to quickly analyze impact
• Gather full situational awareness through advanced
security analytics
• Perform forensic investigation, reducing time to find
the root cause; use results to drive faster
remediation
Vulnerability
Manager
Risk
Manager
SIEM Incident
Forensics
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-Exploit
Vulnerability Pre-Exploit
PREDICTION / PREVENTION PHASE

13 IBM Security
• Contains an embedded, well proven, scalable, analyst recognized
vulnerability detection engine that detects more than 70,000
vulnerabilities
• Integrates into the QRadar ecosystem
• Is present on all QRadar event and flow collector and processor
appliances (QRadar 7.2 and up) as well as QRadar data nodes
(QRadar 7.2.8 and up)
• Integrates with endpoint management (IBM BigFix), web application
security (IBM AppScan), database security (IBM Guardium), and
network management (IBM Security SiteProtector)
• Leverages QRadar Risk Manager to report which vulnerabilities are
blocked by your IPS and FW
• Uses QFlow report if a vulnerable application is active
• Presents a prioritized list of vulnerabilities you should deal with as
soon as possible
®
Scan, assess, and remediate vulnerabilities
IBM QRadar Vulnerability Manager

14 IBM Security
• Network topology model based on security device
configurations enables visualization of actual and
potential network traffic patterns
• Policy engine correlates network topology, asset
vulnerabilities and configuration, and actual network
traffic to quantify and prioritize risk, enabling risk-
prioritized remediation and compliance checking,
alerting, and reporting
• Centralizes network security device configuration
data and discovers configuration errors; monitors
firewall rule activity
• Models threat propagation and simulates network
topology changes
Scan, assess, and remediate risks
Asset risk quantification
Remediation prioritization
Network topology
Policy and compliance
monitoring
Threat simulations
IBM QRadar Risk Manager

15 IBM Security
IBM QRadar SIEM
Web-based command console for Security Intelligence
• Delivers actionable insight, focusing security teams on
high-probability incidents
Employs rules-based correlation of events, flows, assets, topologies,
and vulnerabilities
• Detects and tracks malicious activity over extended time
periods, helping uncover advanced threats often missed
by other solutions
Consolidates “big data” security incidents within purpose-built, federated
database repository
• Provides anomaly detection to complement existing
perimeter defenses
Calculates identity and application baseline profiles to assess abnormal
conditions
• Provides deep visibility into network, user, and
application activity
• Provides reliable, tamper-proof log storage for forensic
investigations and evidentiary use
© COPYRIGHT IBM CORPORATION 2017
Potential offenses to investigate
~25
Daily volume of events and flows
automatically analyzed to find
2,000,000,000
Optimized threat analysis
Dedicated SOC team
Global
enterprise
15

16 IBM Security
QRadar embedded intelligence offers automated offense identification
Suspected
incidents
Embedded
intelligence
Servers and mainframes
Servers and mainframes
Data activity
Data activity
Network and virtual activity
Network and virtual activity
Application activity
Application activity
Configuration information
Configuration information
Security devices
Security devices
Users and identities
Users and identities
Vulnerabilities and threats
Vulnerabilities and threats
Global threat intelligence
Global threat intelligence
Correlation
• Logs/events
• Flows
• IP reputation
• Geographic location
Activity baselining and
anomaly detection
• User activity
• Database activity
• Application activity
• Network activity
Offense identification
• Credibility
• Severity
• Relevance
Prioritized
incidents
Secure archive

17 IBM Security
QRadar embedded intelligence directs focus for investigations
Suspected
incidents
Prioritized incidents
Directed forensics investigations
• Reduce time to resolution
through intuitive forensic workflow
• Use intuition more than technical training
• Determine root cause and prevent recurrences
Embedded
intelligence

18 IBM Security
Benefits of IBM Security Intelligence approach using QRadar
Threat and Anomaly Protection
Incident
Forensics and
Response
Compliance
Reporting
User Behavior Analytics
Vulnerability and
Risk Management
Cognitive Security

19 IBM Security
An integrated, unified architecture in a single console
Configurable
dashboards

20 IBM Security
Identifying suspected attacks and policy violations
What was the attack?
Is the attack credible?
How
valuable
are the
targets to
the
business?
Who was
responsible for the
attack?
Where are they located?
What was
stolen and
where is the
evidence?
Are any assets
vulnerable?
How many targeted
assets are involved?

21 IBM Security
Providing functional context
To enable security analysts to perform investigations, QRadar SIEM correlates information such as:
• Point in time
• Offending users
• Origins
• Targets
• Asset information
• Vulnerabilities
• Known threats
• Behavioral analytics
• Cognitive analytics
21

22 IBM Security
Network flow analytics
• Provides insight into raw network traffic
Attackers can interfere with logging to erase their tracks, but they
cannot cut off the network (flow data)
• Allows deep packet inspection for Layer 7 flow data
Pivoting, drill-down, and data-mining activities on flow sources
allow for advanced detection and forensics
• Helps to detect anomalies that might otherwise be
missed
• Helps to detect zero-day attacks that have no signature
• Provides visibility into all attacker communications
• Uses passive monitoring to build asset profiles and
classify hosts
• Improves network visibility and helps resolve traffic
problems
22

23 IBM Security
Extensible functional architecture
• IBM Security App Exchange
provides access to apps from
leading security partners
• Out-of-the-box integrations
for 500+ third-party security
products
• Open APIs allow for custom
integrations and apps
• QRadar Sense Analytics
allows you to inspect events,
flows, users, and more
• Speed analysis with visuals,
query, and auto-discovery
across the platform
• Augment your analysts’
knowledge and insights with
QRadar Advisor with
Watson
• IBM X-Force Exchange
helps you stay ahead of the
latest threats and attacks
• Extend investigations to cyber
threat analysis with i2
Enterprise Insight Analysis
• Powered by the X-Force
Research team and 700TB+ of
threat data
• Share data with a collaborative
portal and STIX / TAXII
standards
Cognitive Analytics Open Ecosystem
Deep Threat Intelligence
and Analysis

24 IBM Security
Cognitive Analytics: Revolutionizing how security analysts work
• Natural language processing with security that understands, reasons, learns, and interacts
Watson determines the specific campaign (Locky),
discovers more infected endpoints, and sends results
to the incident response team
24

25 IBM Security
Open Ecosystem and Collaboration
• Application extensions to enhance visibility and productivity
https://exchange.xforce.ibmcloud.com
25

26 IBM Security
Deep Threat Intelligence
• Crowd-sourced information sharing based on 700+TB of threat intelligence
https://exchange.xforce.ibmcloud.com
26

ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU