IBM Security QRadar

Sense & Act On Cyberthreats With the Most

Advanced Security Analytics Platform

© 2016 IBM Corporation

CTO Discussion

SANDY BIRD
IBM Fellow
Chief Technology Officer
IBM Security

© 2016 IBM Corporation

CISO Challenge: Devising the right security strategy

Consolidate & Identify Threats Detect Insider Stay Compliant Predict Business
Protect Data Threats Risk

© 2016 IBM Corporation 3

Upon close, Resilient Systems will advance the IBM Security
strategy to help organizations succeed in an era of escalating
cyber attacks

PREVENTION DETECTION RESPONSE

Help to continuously stop attacks Identify the most important threats Respond to incidents in integrated
and remediate vulnerabilities with advanced analytics and forensics and organized fashion

Unites Security Operations
and Incident Response
Resilient Systems will extend IBM’s
offerings to create one of the industry’s
most complete solutions to prevent,
detect, and respond to threats
Delivers a Single Hub for
Response Management
Resilient Systems will allow security
teams to orchestrate response
processes, and resolve incidents faster,
more effectively, and more intelligently
Integrates Seamlessly with
IBM and Third-Party Solutions
Resilient Systems integrates with
QRadar and other IBM and third-party
solutions so organizations of various
sizes can successfully resolve attacks

© 2016 IBM Corporation 4

Upon close, IBM Security will have the industry’s first integrated
end-to-end Security Operations and Response Platform
Tomorrow’s response is intelligent and coordinated HR Legal CEO CISO IT

IBM QRADAR SECURITY INTELLIGENCE

discovers advanced threats and starts the response process
Security Operations and Response Platform
NEW! RESILIENT SYSTEMS INCIDENT RESPONSE
generates a response playbook and coordinates activity
NEW! Resilient Systems Incident Response

IBM X-FORCE EXCHANGE

IBM QRadar Security Intelligence
automatically updates incident artifacts with threat intelligence
Vulnerability Endpoint / Network Entity and
IBM BIGFIX AND NETWORK FORENSICS and Patch Threat Detection Insider Threat
enables analysts to query endpoints and analyze traffic Management and Forensics Analytics

Security Operations and Incident Response Services

IBM SECURITY APP EXCHANGE
provides apps and add-ons for a rapid and decisive response

IBM SECURITY SERVICES

delivers operations consulting to help implement processes IDS NIPS AV DLP FW DBs Apps ...
and response experts when something goes wrong

© 2016 IBM Corporation 5

The Power of Security Analytics
Anticipate the unknown. Sense it and act.

MATTHEW CARLE
Product Manager – QRadar
IBM Security

© 2016 IBM Corporation

Attackers break through conventional safeguards every day
2013 2014 2015
800+ Million 1+ Billion Unprecedented
records breached records breached high-value targets breached

average time to detect APTs average cost of a U.S. data breach

256 days $6.5M

V2016-2-11

© 2016 IBM Corporation 7

Detect attacks disguised as normal activity

 Advanced
Malware scrapes  Specific
4 RAM for clear text
CC stripe data
 Stealthy
Attacker phishes Retailer POS
1 a third-party contractor systems
 Exploits human
vulnerabilities
2 3a Attacker finds and infects
3b POS systems with malware
Attacker Attacker  Targets business
uses stolen finds and process
credentials infects
to access internal weaknesses
contractor Windows
portals file server

Contractor Retailer Windows

portals file server

5
Attacker FTP servers
(external) Stolen data is
exfiltrated to INTERNAL NETWORK
FTP servers

© 2016 IBM Corporation 8

IBM Security QRadar – Success Factors

Sense Analytics One Platform, The Power to

Threat Detection Unified Visibility Act–at Scale

 Behavioral  Extensible  Prioritization

 Contextual  Scalable  Collaboration of threat data

 Temporal  Easily deployed  Automated response

© 2016 IBM Corporation 9

QRadar Sense Analytics™

Advanced analytics QRadar is the only Security Intelligence Platform powered

assisting by the advanced Sense Analytics engine to:
in threat  Detect abnormal behaviors across users, networks,
identification applications and data
 Discover current and historical connections, bringing hidden
indicators of attack to the surface
 Find and prioritize weaknesses before they’re exploited

© 2016 IBM Corporation 10

QRadar Sense Platform

Advanced Insider Risk &

USE Fraud Incident Compliance Securing Third-Party
Threat Threat Vulnerability
Detection Forensics Reporting Cloud Usage
CASES Detection Detection Management

ACTION Automation Dashboards Visualizations Workflows Capability

and Threat
Intelligence
PRIORITIZED INCIDENTS Collaboration
Platforms

QRadar App
Context-Based Behavior-Based Time-Based Exchange
ENGINE Sense
Analytics Analytics Analytics
AnalyticsTM

X-Force
Exchange

Business
COLLECTION Cloud Infrastructure Threat Intel Applications
Systems

ON PREM AS A SERVICE CLOUD HYBRID

DEPLOYMENT MODELS

© 2016 IBM Corporation 11

Consume massive amount of structured and unstructured data

EXTENSIVE DATA SOURCES

Security devices

Servers and mainframes

Network and virtual activity
Data activity
Application activity
Configuration information
Prioritized
QRadar incidents
Sense AnalyticsTM
Incident identification
• Extensive data collection, storage, and analysis
• Real-time correlation and threat intelligence
• Automatic asset, service and user discovery and profiling
• Activity baselining and anomaly detection

Vulnerabilities and threats

Users and identities

Embedded
Intelligence
Global threat intelligence

© 2016 IBM Corporation 12

Advanced threat detection
SCENARIO
1. Host visits malicious domain,
but firing an alert might be premature
2. New beaconing behavior
3. Data transfers inconsistent with behavioral baselines appear
QRadar combines all three conditions to produce a single, heightened alert

SCENARIO
 Sudden change in network traffic
 The appearance of a new application on host or termination of a typical service are captured
as anomalies
QRadar senses and discovers by monitoring and profiling assets and individuals

Pattern Anomaly User and entity

identification detection profiling

© 2016 IBM Corporation 13

Insider threat monitoring

SCENARIO
 Service rep downloads twice the normal
amount of client data
– Might be part of new sales analysis activity
 QRadar knows that service rep was recently
laid off and sees data being sent to an external site

QRadar profiles assets and individuals to help security teams better interpret
network context and reduce false-positive results, while fine-tuning the detection
of attacks and breaches

Business Historical Risk-based

context analytics analytics

© 2016 IBM Corporation 14

Forensics investigation

SCENARIO
 SOC analyst investigating offense discovers
employees exposed to phishing scam
 Attacker has latched-on and expanded
to an internal server using pattern identified by
X-Force known to inject remote-access Trojan (RAT) software
QRadar recovers all associated network packets with a few mouse clicks
• Pinpoints where and when RAT software installed
• Rich profile of malicious software including link analysis identifies “patient zero” and other
infected parties
• Incident response and remediation is completed with no recurrences

Real-time External threat Statistical

analytics correlation analysis

© 2016 IBM Corporation 15

One platform with global visibility

Complete clarity QRadar easily deploys lightening fast to help users

and context consolidate insights in a single platform:
 Delivers scale collecting billions of events on-premises
or in the cloud
 Unifies real-time monitoring, vulnerability and risk
management, forensics, and incident response
 Deep and automated integration from hundreds
of third-party sources

© 2016 IBM Corporation 16

Visualize your threat landscape

© 2016 IBM Corporation 17

Leverage multiple threat intelligence sources

IBM Security Threat Intelligence

 Pull in Threat Intelligence through open STIX/TAXII format

 Load threat indicators in collections into QRadar Reference sets
 Use reference sets for correlation, searching, reporting
 Create custom rule response to post IOCs to Collection
USE CASE
Bring watchlists of IP addresses from X-Force Exchange create a rule
to raise the magnitude of any offense that includes the IP watchlist

© 2016 IBM Corporation 18

Add collaborative defenses – App Exchange
A New Platform for
Security Intelligence Collaboration
Validated
security
Enable rapidapps
innovation

Single platform
for collaboration

Access partner
innovations

Quickly extend
QRadar functionality Single collaboration platform for rapidly delivering
new apps and content for IBM Security solutions
Allows QRadar users and partners to
deploy new use cases in an accelerated way

© 2016 IBM Corporation 19

The power to act at scale

Actionable security QRadar enables security experts within and across

intelligence organizations to collaboratively take action:
 Intelligent incident prioritization
 Collaboration of threat data and security capabilities
from X-Force Exchange and App Exchange
 Resilient incident response with workflow, play groups,
collaboration, regulatory requirements, integrations,
streamlining and automating incident response remediating
threats quickly and with ease

© 2016 IBM Corporation 20

Expand the value of security solutions through integration
Global Threat Intelligence BigFix
Trusteer Apex
zSecure
QRadar Incident Forensics MobileFirst Protect (MaaS360)
QRadar Risk Manager
Network Protection XGS
SiteProtector

Trusteer Pinpoint
QRadar SIEM Trusteer Mobile
Security QRadar Log Manager Trusteer Rapport
AppScan Intelligence
DataPower Web QRadar Vulnerability
Security Gateway Manager

IBM Security
Research

Privileged Identity Manager

Guardium Cloud
Key Lifecycle Manager Access Manager
Cloud Security Enforcer Identity Manager
Identity Governance and Intelligence
Consulting Services | Managed Services

© 2016 IBM Corporation 21

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU
www.ibm.com/security

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Legal notices and disclaimers
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this Information concerning non-IBM products was obtained from the suppliers of those
document may be reproduced or transmitted in any form without written permission from products, their published announcements or other publicly available sources. IBM has
IBM. not tested those products in connection with this publication and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by Questions on the capabilities of non-IBM products should be addressed to the suppliers
GSA ADP Schedule Contract with IBM. of those products. IBM does not warrant the quality of any third-party products, or the
Information in these presentations (including information relating to products that have ability of any such third-party products to interoperate with IBM’s products. IBM
not yet been announced by IBM) has been reviewed for accuracy as of the date of initial EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
publication and could include unintentional technical or typographical errors. IBM shall INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
have no responsibility to update this information. THIS document is distributed "AS IS" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
without any warranty, either express or implied. In no event shall IBM be liable for any The provision of the information contained herein is not intended to, and does not, grant
damage arising from the use of this information, including but not limited to, loss of data, any right or license under any IBM patents, copyrights, trademarks or other intellectual
business interruption, loss of profit or loss of opportunity. property right.
IBM products and services are warranted according to the terms and conditions of the Other company, product, or service names may be trademarks or service marks of
agreements under which they are provided. others. A current list of IBM trademarks is available at “Copyright and
trademark information” www.ibm.com/legal/copytrade.shtml
Any statements regarding IBM’s future direction, intent or product plans are subject to
change or withdrawal without notice. Performance data contained herein was generally
obtained in a controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the results they may
have achieved. Actual performance, cost, savings or other results in other operating
environments may vary. References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products, programs or services
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent
session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to,
nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements
and to obtain advice of competent legal counsel as to the identification and interpretation
of any relevant laws and regulatory requirements that may affect the customer’s business
and any actions the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products will ensure that
the customer is in compliance with any law.