5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016

© 2015 IBM Corporation
Mark Ehr
IBM Security
5 Ways to Get Even More from Your
IBM Security QRadar Investment in
2016

2© 2015 IBM Corporation
About Mark Ehr
 Mark Ehr (pronounced ‘air’); Colorado native, based in Denver
 33 years industry experience, 15 years in security; United 1M+ mile
flyer; visited 27 countries and 48 States
 Joined IBM via BigFix in 2010; moved to QRadar shortly after Q1 Labs
acquisition in 2011
 3 years as QRadar Product Manager; today I lead sales enablement for
Security Intelligence (QRadar)
 During my tenure as a QRadar PM, managed QRadar Vulnerability
Manager and QRadar Risk Manager, plus BigFix integration

Agenda
Today’s challenges, aka what keeps us up at night!
IBM Internal
1
IBM Security Intelligence strategy
2
IBM Security QRadar 7.2.6, aka the 5 10+ ways…
3
4 Q&A

What keeps us up at night? Plenty.

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015
Attack types
2012
40% increase
2013
800,000,000+ records
2014
Unprecedented impact
XSS SQLiMisconfig. Watering
Hole
Brute
Force
Physical
Access
Heartbleed Phishing DDoS Malware Undisclosed
Attackers break through conventional safeguards every day
V2015-07-30
$6.5Maverage cost of a U.S. data breachaverage time to detect APTs
256 days
Source: 2015 Cost of Data Breach Study, Ponemon Institute

New technologies introduce new risks…
V2015-04-24
of security leaders
expect a major cloud provider to suffer
a significant security breach in the future
44% 33%
of organizations don’t
test their mobile apps
of enterprises have difficulty
finding the security skills they need
Source: Enterprise Information Security in Transition, 2012 ESG Technology Brief
85 security tools from
45 vendors
Source: IBM Client Example
… and traditional security practices are unsustainable
83%
Source: November 2014, “Security for the Cloud and on the Cloud”, Security Intelligence.com

Today’s challenges
Escalating Attacks Increasing Complexity Resource Constraints
• Increasingly sophisticated
attack methods
• Disappearing perimeters
• Accelerating security
breaches
• Constantly changing
infrastructure
• Too many products from
multiple vendors; costly
to configure and manage
• Inadequate and ineffective tools
• Struggling security teams
• Too much data with limited
manpower and skills
to manage it all
• Managing and monitoring
increasing compliance demands
Spear Phishing
Persistence
Backdoors
Designer Malware

Security Intelligence across the threat lifecycle is key
What was the impact
to the organization?
What security incidents
are happening right now?
Are we configured
to protect against
advanced threats?
What are the major risks
and vulnerabilities?
Security Intelligence
The actionable information derived from the analysis
of security-relevant data available to an organization
• Gain visibility over the organization’s
security posture and identity security gaps
• Detect deviations from the norm
that indicate early warnings of APTs
• Prioritize vulnerabilities to optimize
remediation processes and close critical
exposures before exploit
• Automatically detect threats with prioritized
workflow to quickly analyze impact
• Gather full situational awareness
through advanced security analytics
• Perform forensic investigation reducing time
to find root-cause; use results to drive faster
remediation
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-ExploitVulnerability Pre-Exploit
PREDICTION / PREVENTION PHASE

Security
Intelligence
on Cloud
Flexible solution
that can deploy as
either a true SaaS
offering or combine
with hybrid cloud
environments to
improve visibility
into cloud-based
applications
Network
Forensics
Incident
forensics
and packet
captures
Vulnerability
and Risk
Management
Real-time
vulnerability
scanning and
prioritizations,
combined with
configuration
analysis, policy
monitoring, and
risk assessment
Log
Management
Identity
management,
complete log
management,
and compliance
reporting
SIEM
SIM and
VA integration
ClientNeeds
Flow
Visualization
and NBAD
Anomaly detection
and threat
resolution
Platformevolutionbasedonclientneeds
IBM Security
App Exchange
and X-Force
Exchange
An on-line
repository for
sharing QRadar
software
enhancements
and an aggregated
threat intelligence
and collaboration
platform
integrated with
QRadar
Continued investment based on client needs
2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2013 2014 2015 2015

IBM Security Intelligence strategy

Establish security as a system
Key integrated capabilities
Threat Research
Endpoint
Advanced
Fraud
Data
MobileNetwork
Applications
Identity
and Access
Endpoint patching
and management
Malware
protection
Fraud
protection
Criminal
detection
Data access control
Data monitoring
Device
management
Content security
Network visibility
Application
security
management
Access management
Identity management
Entitlements and roles
Application
scanning
Virtual patching
Transaction
protection
Log, flow and
big data analysis
Anomaly
detection
Vulnerability
assessment
Incident
and threat
management
Ecosystem Partners
Sandboxing
Firewalls
Anti-
virus
Consulting
Services
Managed
Services
Security
Intelligence

IBM QRadar is the centerpiece of IBM Security integrations
IBM X-Force Research
Trusteer Apex
Endpoint
zSecure
BigFix
Advanced
Fraud
Trusteer
Pinpoint
Trusteer
Rapport
Data
Key Lifecycle Manager
Guardium Suite
Mobile
MobileFirst Protect
(MaaS360)
MobileFirst Platform
(Worklight)
Network
Network Protection XGS
SiteProtector
Applications
Identity
and Access
QRadar
Incident
Forensics
QRadar
Risk
Manager
Ecosystem Partners
Trusteer
Mobile
Network Protection GX
QRadar SIEM
QRadar Log
Manager
QRadar Vulnerability
Manager
Big Data
i2 Analytics
Privileged Identity Manager
Access Manager
Identity Manager
Federated Identity Manager
AppScan
Suite
DataPower
Web Security
Gateway
Consulting
Services
Managed
Services
Security
Intelligence

Identity
and Access
ISAM ISIM
PIM
Key integrations for Security Intelligence
Endpoint
Trusteer Apex
BigFix
IBM X-Force
Security
Intelligence
Mobile
MaaS360
Applications
AppScan
Data
Guardium
Network
Network
XGS
QRadar
Provide increased
visibility into network
Network security flows
Correlate status and
severity monitoring
Vulnerability and patch data
Gain input on
malware attacks
Endpoint malware events
Provide identity context
aware security intelligence
Identity attributes, logs and flows
Provide in-depth data
activity monitoring and
vulnerability assessment
Security events and
vulnerabilities
Place activity in external
context and determine
offense severity
Global real-time threat and
vulnerability data
Understand mobile
security landscape
Compliance alerts
Security events and vulnerabilities
Understand application
security landscape and improve
threat detection accuracy
1 2
3
4
5
6
7 8

A dynamic, integrated system to help stop advanced threats
The IBM Threat Protection System
Break-in1
Latch-on2
Expand3
Gather4
Exfiltrate5
Attack Chain

Applications
AppScan
Data
Guardium
Network
Network XGS
Identity
and Access
ISIM ISAM
FIM PIM
Endpoint
BigFix
Focus on critical points in the attack chain
Integrated Capabilities
1. Secure network traffic
Gain visibility into your assets
Create a secure perimeter
around identities
Assess threats and
create security offenses
1
2
3
1. Validate endpoint
patch status
Endpoint patch data
1. Lock down
database usage
Database
vulnerabilities
Security
Intelligence
QRadar
1. Prevent web
application
vulnerabilities
Application vulnerabilities
2. Provide user activity
and anomaly detection
Identity event logs
Detect
RespondPrevent
Threat Intelligence Network
Address the most critical
risks first
3. Find and prioritize
vulnerabilities

Network
Network XGS
Identity
and Access
PIM ISAM
Endpoint
Trusteer Apex
Detect and block malicious activity
2. Block exploits as they
traverse the network
Monitor user activity
Block threats and exploits
Produce actionable intelligence
1
2
3
2. Dynamically detect and
block endpoint malware
Endpoint malware events
1. Send privileged user details to
correlate with user’s activity
Identity and access data,
user credentials
Security
Intelligence
QRadar
Detect
RespondPrevent
Data
Guardium
1. Authorize
database activities
Audit data
Intelligent correlation of
events, flows, topologies,
vulnerabilities and threats
3. Detect anomalous
activity

Find out what happened,
when
3. Correlate events
Security
Intelligence
QRadar
Data
Guardium
Network
Network XGS
Endpoint
BigFix
Investigate breaches and learn from findings
Perform real-time
incident response
Perform post-attack
incident forensics
Prepare for and withstand
security breaches
1
2
3
Detect
RespondPrevent
Identity
and Access
ISIM ISAM
2. Validate user permissions
Identity and access data
1. Check patch status of
compromised machines
Patch data
1. Search activity
across IP addresses
2. Provide visibility
into the database
Database events
IBM Emergency
Response Services

Security
Intelligence
QRadar
Network
Network XGS
Endpoint
Trusteer Apex
Leverage global threat research and intelligence sharing
Provide real-time
threat data
Catalog vulnerabilities
Share threat intelligence
1
2
3
Respond
Detect
Prevent
1. Address the latest threats and
provide intelligent blocking
Threat data, IP and URL reputation
1. Provides millions of
malware samples
collected daily
Malware threat intelligence
2. Place activity in external context
and determine offense severity
Global real-time threat and
vulnerability data
IBM
X-Force
Provide zero day threat
alerts and exploit triage
3. Share real-time threat
intelligence data based on
dynamic data

How get even more from your
QRadar investment in 2016
QRadar V7.2.6, December 2015

A quick preview of the 5 10+ ways
1. IBM Security AppExchange = QRadar apps and market!
2. Automated threat response
3. Data obfuscation
4. Real time and historical analytics
5. Enhanced BigFix integration
6. Enhanced investigation workflow
7. Optimized indexing
8. Security Intelligence on Cloud
9. New Incident Forensics analysis capabilities
10. Improved QVM performance and security roles
11. Enhanced QRM topology visualization, performance, and device support

Criminals create and share easy-to-use,
sophisticated, powerful weapons
Criminals are organized and collaborate on a global scale
Increasing
Complexity
Unpatched
Vulnerabilities
User
Negligence
Resource
Constraints

Integrated
security solutions
Intelligence
sharing
Capability
sharing
Break down silos
with integrated
security controls
Share real-time
threat intelligence
Share security
intelligence
workflows,
use cases
and analytics
IBM Security continues its investments in fostering
collaborative defense
IBM X-Force
Exchange
IBM Threat
Protection System
April 16, 2015May 5, 2014 December 8, 2015
IBM Security
App Exchange

Introducing a new platform for security collaboration
Enables rapid innovation to deliver new apps and content
for IBM Security solutions
NEW
IBM Security App Exchange
Single platform
for collaboration
Access to partner
innovations
Validated
security apps
Fast extensions to
security functionality

Contributions
from IBM
Tracking the threat
 Understand the attack chain
 Quickly identify the severity and overall impact of a threat
 Enable faster response by understanding flow of data
 Forensic investigation to discover the DNA of the attack
 Relationships between IPs involved in this offense
 Context from other security operations solutions
IBM Security | Incident Visualization
IBM Security App Exchange: New apps
Early momentum

IBM Security App Exchange: New apps
Partners already on-board and enthusiastic
Contributions from
Ready for Security Intelligence
Partner Ecosystems
 One console for SIEM and user entity
behavior analytics (UEBA)
 UEBA annotations in SIEM offenses
Exabeam | User Entity Behavior Analytics
 SIEM offenses link to UEBA timeline
 UEBA timeline links back to SIEM logs
 Suspicious behaviors open new offenses

• Automated response ability enabling QRadar to automatically
block IPs, shun users, black list domains, connect emails using
multiple templates, and many more actions…
• Real time and historical analytics helps discover previously
hidden IOCs, threats and incidents using new threat intelligence
• Tenant definition and capabilities providing richer multi-tenant
capabilities for MSPs
• Enhanced BigFix integration enabling users to build a context
driven, prioritized action list helping organizations reduce risk
• Enhanced investigation workflow enabling users to quickly
navigate through related incident data speeding up
investigations
• Optimized indexing speeding up historical searches by x10 !
QRadar 7.2.6 December, 2015
NEW
Vulnerability
Manager
Risk
Manager
SIEM
Incident
Forensics

Better, Stronger, Faster
 Automated and centralized decision making either as workflow
initiation for enterprise SOC or as more real world responses such
as:
– Blacklist IPs on the enterprise boundary
– User credential lock out due to a security incident
– Transmission of recent threat context to partner organizations.
 Real time and historical analytics allows users to replay data
through QRadar’s powerful correlation engine targeting three main
use cases:
– Discover previously hidden threats and incidents
– Review security events independent of collection time, unwinding bulk
loaded data sets
– Tune new threat detection and security policies against historical data
 Tenants and domains help enterprises support larger environments
and MSPs support multiple clients:
– Allows for segregating overlapping Ips
– Controlled administration of all tenants, their respective domains and users
– Enables data categorization (ex. events, flows) into different sets
– Guarantees one customer’s security data is not correlated with any others
Pushing the envelope with additional QRadar platform investments
A B C

Automated Threat Response
Increasingly, organizations are interested in
automated and centralized decision making
and are requesting QRadar, with it’s
comprehensive insights into the security
posture of an organization, play a pivotal role
in that decision making process.
These decisions, or responses, can come in
the form of simply initiating a workflow for the
enterprise NOC and SOC to work but can also
extend into the realm of real world responses
such as:
– Blacklist IPs on the enterprise boundary
– User credential lock out due to a security
incident
– Transmission of recent threat context to
partner organizations.

Data Obfuscation
Data obfuscation offers QRadar administrators
the ability to strategically “hide” and restrict
visibility to data within their deployment.
Obfuscation occurs within the data records
themselves to ensure that the content is never
compromised. Data is only reverted to original
form for presentation in the UI if the keys are
provided by the user
The most common use of data obfuscation is
to hide sensitive information such as PII or
PHI (social insurance numbers, usernames,
credit card numbers, etc)

STEP ONE
Provide Continuous Insight
across all endpoints.
INCLUDING off-network
laptops
STEP FOUR
Expedite remediation of
ranked vulnerabilities,
configuration drift and
irregular behavior
STEP TWO
Enforce Policy Compliance
of Security, Regulatory &
Operational Mandates.
STEP THREE
Prioritize vulnerabilities and
remediation activities by
risk
• QRadar correlates
assets &
vulnerabilities with
real-time security
data
• It then sends the
prioritized list to
BigFix administrators
• Machine Name, OS, IP Address, Malware
incidents etc.
• Provides details on physical and virtual servers,
PCs, Macs, POS devices, ATMs, kiosks, etc.
• All known CVEs exposed on an endpoint
• Quarantine endpoints
until they can be
remediated
• Patch or reconfigure
endpoints
IBM BigFixIBM BigFix
IBM BigFix
• BigFix sends vulnerability and patch data to
QRadar, automatically ensuring that QRadar's
asset database is updated with current data
Extending QRadar’s reach and simplifying incident response
with BigFix
Legend
• Avail Today
• Coming Soon

QRadar V7.2.6 closed-loop risk management
BigFix Compliance with QRadar Vulnerability Manager and Risk Manager deliver real-time endpoint
intelligence for closed-loop risk management
IBM QRadarIBM BigFix
Real-time endpoint
intelligence
Network anomaly
detection
Provides current
endpoint status
Correlates events
and generates alerts
Prompts IT staff
to fix vulnerabilities
• Improves asset database accuracy
• Strengthens risk assessments
• Enhances compliance reporting
• Accelerates risk prioritization
of threats and vulnerabilities
• Increases reach of vulnerability
assessment to off-network endpoints
Integrated,
closed-loop
risk
management

• Increased EPS limit to 40K EPS per SIOC
• Data node support increases maximum storage to
48TB
• New Canadian Data Center supports international
customers
• Now available Worldwide
SecIntel on Cloud 7.2.6 December, 2015
Vulnerability
Manager
Risk
Manager
SIEM
Incident
Forensics

• File Analysis extends suspect content to include
in-depth file analysis
• Image Analysis quickly scans through images
based on relevance and frequency
• Link Analysis visualizes common links in
communications patterns to find the actors and
evidence
QRadar Incident Forensics 7.2.6 December, 2015
Vulnerability
Manager
Risk
Manager
SIEM
Incident
Forensics

• QVM
• Improved performance results in faster
scans, improved scalability
• BigFix integration phase 2 described earlier
• License verification notifies users if they are
over license limits
• Improved security for administrator roles
• QRM
• Enhanced topology visualization declutters
views for large customers
• Performance enhancements
• New device support
QRadar Vulnerability Manager and Risk Manager 7.2.6
December, 2015
Vulnerability
Manager
Risk
Manager
SIEM
Incident
Forensics

Netting it out: Why you should move to QRadar V7.2.6!
1. QRadar V7.2.6 supports QRadar Apps via the IBM Security App Exchange
2. Awesome new automated response capabilities
3. New data obfuscation features
4. BigFix integration V2
5. Enhanced investigation workflow engine speeds investigation time
6. 10X+ improvements in search speed and more powerful search capabilities
7. Improved SaaS version, including higher EPS limits, global availability, and extended
storage
8. Extended Incident Forensics content analysis
9. Better QRM and QVM performance, security, and usability
10. Sets the stage for even cooler stuff coming in V7.3 next year….

Intelligence is the new defense
It helps prevent threats faster and make more informed decisions
Integration is the new foundation
It puts security in context and automates protection
Expertise is the new focus
It is essential to leverage global knowledge and experience to stay ahead
A new way to think about security

Learn more about IBM Security Intelligence and Analytics
V2015-11-23
countries where IBM delivers
managed security services
industry analyst reports rank
IBM Security as a LEADER
enterprise security vendor
in total revenue
clients protected
including…
130+
25
No. 1
12K+
90% of the Fortune 100
companies
Join IBM X-Force Exchange
xforce.ibmcloud.com
Visit our website
ibm.com/security
Watch our videos on YouTube
IBM Security Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security

Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM has
not tested those products in connection with this publication and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers
of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM
EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant
any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
Other company, product, or service names may be trademarks or service marks of
others. A current list of IBM trademarks is available at “Copyright and
trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this
document may be reproduced or transmitted in any form without written permission from
IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have
not yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall
have no responsibility to update this information. THIS document is distributed "AS IS"
without any warranty, either express or implied. In no event shall IBM be liable for any
damage arising from the use of this information, including but not limited to, loss of data,
business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to
change or withdrawal without notice. Performance data contained herein was generally
obtained in a controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the results they may
have achieved. Actual performance, cost, savings or other results in other operating
environments may vary. References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products, programs or services
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent
session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to,
nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements
and to obtain advice of competent legal counsel as to the identification and interpretation
of any relevant laws and regulatory requirements that may affect the customer’s business
and any actions the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products will ensure that
the customer is in compliance with any law.
Legal notices and disclaimers

5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016

Similar to 5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016 (20)

More from Francisco González Jiménez

More from Francisco González Jiménez (20)

Recently uploaded

Recently uploaded (20)

5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016