QRadar SIEM Overview

IBM Security Systems
IBM Security QRadar SIEM

Product Overview
Alex Kioni
IBM Security Systems Technical Consultant
2013 IBM Corporation

1
The importance of integrated, all

source analysis cannot be
overstated. Without it, it is not
possible to "connect the dots."
No one component holds all the
relevant information.
(9/11 Commission)

2
QRadar Family
Intelligent, Integrated, Automated
QRadar
Log
Manager
QRadar
SIEM
QRadar
QFlow
QRadar
VFlow
QRadar
Risk
Manager
Vulnerability
Manager
Security Intelligence Operating System
Providing complete network and security

intelligence, delivered simply, for any customer
Fully Integrated Security Intelligence

Log
Management
SIEM
Configuration
& Vulnerability
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
4
Turn-key log management and reporting

SME to Enterprise
Upgradeable to enterprise SIEM
Log, flow, vulnerability & identity correlation

Sophisticated asset profiling
Offense management and workflow
Network security configuration monitoring

Vulnerability prioritization
Predictive threat modeling & simulation
Network analytics
Behavioral anomaly detection
Fully integrated in SIEM
Layer 7 application monitoring

Content capture for deep insight & forensics
Physical and virtual environments
Security Intelligence Product Offerings

Product
Description
QRadar SIEM
QRadar SIEM provides extensive visibility and actionable insight to help

protect networks and IT assets from a wide range of advanced threats. It
helps detect and remediate breaches faster, address compliance, and
improve the efficiency of security operations.
QRadar Log Manager
QRadar Log Manager collects, archives, analyzes and reports on events

across a distributed network. It helps address regulatory and policy
compliance, while reducing manual compliance and reporting activities.
QRadar QFlow
QRadar VFlow
QRadar QFlow complements QRadar SIEM by providing deep content

visibility. It gathers Layer 7 flow data via deep packet inspection, enabling
advanced threat detection through analysis of packet content.
QRadar VFlow provides content visibility into virtual network traffic,
delivering comparable functionality to QRadar QFlow but for virtual
environments.
QRadar Risk Manager
QRadar Risk Manager identifies and reduces security risks through device
configuration monitoring, vulnerability prioritization, and threat simulation
and visualization. It can help prevent many security breaches while
improving operational efficiency and compliance.
Fully Integrated Security Intelligence

Log
Management
SIEM
Configuration
& Vulnerability
Management
Network
Activity &
Anomaly
Detection
Network and
Application
Visibility
6
Turn-key log management and reporting

SME to Enterprise
Upgradeable to enterprise SIEM
One Console Security
Log, flow, vulnerability & identity correlation

Sophisticated asset profiling
Offense management and workflow
Network security configuration monitoring

Vulnerability prioritization
Predictive threat modeling & simulation
Network analytics
Behavioral anomaly detection
Fully integrated in SIEM
Layer 7 application monitoring

Content capture for deep insight & forensics
Physical and virtual environments
Built on a Single Data Architecture
QRadar SIEM Overview

QRadar SIEM provides full visibility and actionable insight
to protect networks and IT assets from a wide range of
advanced threats, while meeting critical compliance mandates.
Key Capabilities:
Sophisticated correlation of events, flows, assets, topologies,
vulnerabilities and external data to identify & prioritize threats
Network flow capture and analysis for deep application insight
Workflow management to fully track threats and ensure resolution
Scalable architecture to support the largest deployments
Context and Correlation Drive Deepest Insight
Security Devices
Servers & Mainframes
True Offense
Event Correlation
Network & Virtual Activity

Data Activity
Logs
Flows
IP Reputation
Geo Location
Activity Baselining & Anomaly

Detection
Application Activity
Configuration Info
Vulnerability & Threat
User Activity
Database Activity
Application Activity
Network Activity
Credibility
Severity
Relevance
Suspected Incidents
Users & Identities
Extensive Data
Sources
Offense Identification
Deep
Intelligence
Exceptionally Accurate and

Actionable Insight
QRadar SIEM Benefits

Reduce the risk and severity of security
breaches
Remediate security incidents faster and
more thoroughly
Ensure regulatory and internal policy
compliance
Reduce manual effort of security
intelligence operations
QRadar SIEM Key Advantages

Real-time activity correlation based on advanced inmemory technology and widest set of contextual data
Flow capture and analysis that delivers Layer 7 content
visibility and supports deep forensic examination
Intelligent incident analysis that reduces false positives
and manual effort
Unique combination of fast free-text search and
analysis of normalized data
Scalability for worlds largest deployments, using an
embedded database and unified data architecture
10
QRadars Unique Advantages

Real-time correlation and anomaly detection based on broadest set of
contextual data
Impact: More accurate threat detection, in real-time
Integrated flow analytics with Layer 7 content (application) visibility
Impact: Superior situational awareness and threat identification
Intelligent automation of data collection, asset discovery, asset profiling
and more
Impact: Reduced manual effort, fast time to value, lower-cost operation
Flexibility and ease of use enabling mere mortals to create and edit
correlation rules, reports and dashboards
Impact: Maximum insight, business agility and lower cost of ownership
Scalability for largest deployments, using an embedded database and
unified data architecture
Impact: QRadar supports your business needs at any scale
11
QRadar SIEM Market Success

Leader in Gartner SIEM Magic Quadrant
Ranked #1 product for Compliance needs by Gartner
Only SIEM product that incorporates network behavior
anomaly detection (NBAD)
Industry awards include:
Global Excellence in Surveillance Award from InfoSecurity
Products Guide
Hot Pick by Information Security magazine
GovernmentVAR 5-Star Award
12
QRadar SIEM Product Tour: Integrated Console

Single browser-based UI
Role-based access to
information & functions
Customizable dashboards
(work spaces) per user
Real-time & historical
visibility and reporting
Advanced data mining and drill down
Easy to use rules engine with out-of-the-box security intelligence
13
QRadar SIEM Product Tour: Data Reduction &

Prioritization
Previous 24hr period
of network and
security activity (2.7M
logs)!
QRadar correlation &
analysis of data
creates offenses
(129)!
Offenses are a
complete history of a
threat or violation
with full context
about accompanying
network, asset and
user identity
information!
Offenses are further
prioritized by business
impact!
14
QRadar SIEM Product Tour: Intelligent Offense Scoring

QRadar judges magnitude of offenses:
Credibility:
A false positive or true positive?
Severity:
Alarm level contrasted
with target vulnerability
Relevance:
Priority according to asset or
network value
Priorities can change over
time based on situational
awareness
15
QRadar SIEM Product Tour: Offense Management

Clear, concise and comprehensive delivery of relevant information:
What was
the attack?!
Was it
successful?!
Who was
responsible
?!
Where do I
find them?!
How many
targets
involved?!
How valuable
are the targets
to the
business?!
Are any of
them
vulnerable?!
Where is all
the
evidence?!
16
QRadar SIEM Product Tour: Out-of-the-Box Rules &

Searches
Default log queries/views
1000s of real-time correlation
rules and analysis tests
100s of out-of-the-box searches
and views of network activity and
log data
Provides quick access to critical
information
Custom log fields

Provides flexibility to extract log
data for searching, reporting and
dashboards. Product ships with
dozens of pre-defined fields for
common devices.
17
QRadar SIEM Product Tour: Flows for Network

Intelligence
18
Detection of day-zero attacks that have no signature

Policy monitoring and rogue server detection
Visibility into all attacker communication
Passive flow monitoring builds asset profiles & auto-classifies hosts
Network visibility and problem solving (not just security related)
QRadar SIEM Product Tour: Flows for Application

Visibility
Flow collection from native infrastructure
Layer 7 data collection and analysis
Full pivoting, drill down and data mining on flow sources for
advanced detection and forensic examination
Visibility and alerting according to rule/policy, threshold, behavior or
anomaly conditions across network and log activity
19
QRadar SIEM Product Tour: Compliance Rules and

Reports
Out-of-the-box templates for

specific regulations and best
practices:
COBIT, SOX, GLBA, NERC,

FISMA, PCI, HIPAA, UK GCSx
Easily modified to include new

definitions
Extensible to include new
regulations and best practices
Can leverage existing
correlation rules
20
QRadar SIEM Use Cases

QRadar SIEM excels at the most challenging use cases:
Complex threat detection
Malicious activity identification
User activity monitoring
Compliance monitoring
Fraud detection and data loss prevention
Network and asset discovery
21
QRadar SIEM Use Case: Complex Threat Detection

Problem Statement
Required Visibility
Finding the single needle in the

needle stack
Normalized event data
Connecting patterns across

many data silos and huge
volumes of information
Vulnerability context
Asset knowledge
Network telemetry
Prioritizing attack severity

against target value and
relevance
Understanding the impact of
the threat
22
QRadar SIEM Use Case: Complex Threat Detection

Sounds Nasty!
But how do we know this?!
The evidence is a single click
away.!
Network Scan!
Detected by QFlow !
Targeted Host Vulnerable!

Detected by Nessus!
23
Buffer Overflow!
Exploit attempt seen by Snort!
Total Security Intelligence!

Convergence of Network, Event and Vulnerability
data!
QRadar SIEM Use Case: Malicious Activity Identification

Problem Statement
Required Visibility
Distributed infrastructure
Distributed detection sensors
Security blind spots in the

network
Pervasive visibility across

enterprise
Malicious activity that

promiscuously seeks targets
of opportunity
Application layer knowledge

Content capture for impact
analysis
Application layer threats and

vulnerabilities
Siloed security telemetry
Incomplete forensics
24
QRadar SIEM Use Case: Malicious Activity Identification

Potential Botnet
Detected?!
This is as far as traditional SIEM can
go.!
IRC on port 80?!

QFlow enables detection of a covert
channel.!
Irrefutable Botnet
Communication!
Layer 7 data contains botnet command and
control instructions.!
25
QRadar SIEM Use Case: User Activity Monitoring

Problem Statement
Required Visibility
Monitoring of privileged and

non-privileged users
Centralized logging and

intelligent normalization
Isolating Stupid user tricks

from malicious account activity
Correlation of IAM information

with machine and IP
addresses
Associating users with

machines and IP addresses
Normalizing account and user
information across diverse
platforms
26
Automated rules and alerts

focused on user activity
monitoring
QRadar SIEM Use Case: User Activity Monitoring

Authentication Failures!
Perhaps a user who forgot his/her
password? !
Brute Force Password

Attack!
Numerous failed login attempts
against different user accounts!
Host Compromised!
All this followed by a successful
login.!
Automatically detected, no custom
tuning required.!
27
QRadar SIEM Use Case: Compliance Monitoring

Problem Statement
Required Visibility
Validating your monitoring

efforts against compliance
requirements
Application layer visibility
Ensuring that compliance

goals align with security goals
Visibility into network

segments where logging is
problematic
Logs alone dont meet

compliance standards
28
QRadar SIEM Use Case: Compliance Monitoring

PCI Compliance
at Risk?!
!
Unencrypted Traffic!
Compliance Simplified!
Out of the box support for all major
compliance and regulatory standards.!
29
QFlow saw a cleartext service running on

the Accounting server.!
!
PCI Requirement 4 states:Encrypt
transmission of cardholder data across
open, public networks!
!
QRadar SIEM Use Case: Fraud & Data Loss Prevention

Problem Statement
Required Visibility
Validating your monitoring

efforts against compliance
requirements
Application layer visibility
Ensuring that compliance

goals align with security goals
Visibility into network

segments where logging is
problematic
Logs alone dont meet

compliance standards
30
QRadar SIEM Use Case: Fraud & Data Loss Prevention

Potential Data Loss?!
Who? What? Where?!
Who?!
An internal user!
What?!
Oracle data!
Where?!
Gmail!
31
QRadar SIEM Use Case: Network and Asset Discovery

Problem Statement
Required Capability
Integration of asset information

into security monitoring
products is labor intensive
Real-time knowledge of all

assets on a network
Assets you dont know about

pose the greatest risk
Asset discovery and
classification is a key tenet of
many compliance regulations
Visibility into asset

communication patterns
Classification of asset types
Tight integration into predefined rules
False positive noise

jeopardizes effectiveness of a
SIEM solution
32
QRadar SIEM Use Case: Network and Asset Discovery
33
Automatic Asset Discovery!

Creates host profiles as network activity
is seen to/from!
!
Passive Asset Profiling!
Identifies services and ports on hosts by
watching network activity!
!
Server Discovery!
Identifies & classifies server
infrastructure based on these asset
profiles!
!
Correlation on new assets & services!
Rules can fire when new assets and
services come online!
!
Enabled by QRadar QFlow and!
QRadar VFlow!
QRadar SIEM Case Study: Fortune 500 Defense

Company
Customer
Fortune 500 defense and aerospace systems company

70,000 employees worldwide
Business
Challenge
Protect a complex, geographically dispersed network from

advanced threats
Provide scalability for massive event volumes
Q1 Labs
Solution
40 QRadar appliances, architected to support 70,000 EPS (6

billion events per day), with bursts over 100,000 EPS.
4,000 devices being logged
Aggregation of all NetFlow data combined with application
layer analysis from QFlow in critical data centers
24x7 SOC support for 20 security operations specialists
Data analysis focused on detection of advanced persistent
threats, malware and out-of-policy behavior
34
QRadar SIEM Case Study: $100B US Manufacturer

Customer
$100B private US manufacturer (Fortune 10 equivalent)

125,000+ employees in 65 countries
One of the worlds largest SAP deployments
Business
Challenge
Enhance security and risk posture across thousands of

devices and resources, spanning hundreds of locations
Support extremely high event volumes
Q1 Labs
Solution
More than 40 QRadar appliances deployed

Forming a single federated solution covering IDS/IPS,
wireless, IAM, databases, servers, core switches and more
Monitors SAP and SCADA systems across 1,000 plant
locations
Deployment seamlessly spans security, network, applications
and operations teams
35
QRadar SIEM Case Study: Fortune 5 Energy Company

Customer
Business
Challenge
Fortune 5 energy company

50,000+ employees worldwide
Ensure compliance with PCI-DSS, NERC and numerous
regulations in other countries
Monitor and make sense of 2 billion log events daily
Q1 Labs
Solution
30 QRadar systems deployed globally as a federated solution

Identify 25-50 high priority offenses out of 2 billion daily events
Protect 10,000 network devices, 10,000 servers and 80,000
user endpoints
Monitor 6 million card swipes per day for PCI compliance
Ensure security of SCADA systems for NERC compliance
36
QRadar SIEM Intelligent, Integrated and Automated

Intelligent offense management
Layer 7 application visibility
Identifies most critical anomalies
Distributed architecture
Highly scalable
Analyze logs, flows,
assets and more
37
Easy deployment
Rapid time to value
Operational efficiency
QRadar SIEM Summary

QRadar SIEM delivers full visibility
and actionable insight for
Total Security Intelligence.
Deepest Content
Insight
Broadest
Correlation
Greatest
Scalability
Providing complete network and security

intelligence, delivered simply, for any customer
38
ibm.com/security
Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will
39 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

QRadar SIEM Overview

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QRadar SIEM Overview

Uploaded by

Copyright:

Available Formats

IBM Security Systems

IBM Security QRadar SIEM

2013 IBM Corporation

2012 IBM Corporation

IBM Security Systems

The importance of integrated, all

2013 IBM Corporation

2012 IBM Corporation

IBM Security Systems

Security Intelligence Operating System

Providing complete network and security

2013 IBM Corporation

IBM Security Systems

Fully Integrated Security Intelligence

Turn-key log management and reporting

Log, flow, vulnerability & identity correlation

Network security configuration monitoring

Layer 7 application monitoring

2013 IBM Corporation

IBM Security Systems

Security Intelligence Product Offerings

QRadar SIEM provides extensive visibility and actionable insight to help

QRadar Log Manager

QRadar Log Manager collects, archives, analyzes and reports on events

QRadar QFlow complements QRadar SIEM by providing deep content

QRadar Risk Manager

2013 IBM Corporation

IBM Security Systems

Fully Integrated Security Intelligence

Turn-key log management and reporting

One Console Security

Log, flow, vulnerability & identity correlation

Network security configuration monitoring

Layer 7 application monitoring

Built on a Single Data Architecture

2013 IBM Corporation

IBM Security Systems