© 2013 IBM Corporation
IBM Security
1 IBM Confidential1 IBM Confidential© 2013 IBM Corporation
Trends in Security and
Security Intelligence
Jon Fraleigh
Security Intelligence World Wide Sales Leader
November, 2013
© 2013 IBM Corporation
IBM Security
2 IBM Confidential2 IBM Confidential
Targeted attacks remain top of mind
Saudi Arabia Says Aramco Cyberattack Came From Foreign States
– Bloomberg, Dec 2012
How to Hack Facebook In 60 Seconds
– InformationWeek, June 2013
Hackers in China Attacked The Times for the Last 4 Months
– The New York Times, Jan 2013
Fed Acknowledges Cybersecurity Breach– The Wall Street Journal, Feb 2013
South Carolina taxpayer server hacked, 3.6 million Social Security numbers compromised
– CNN, Oct 2012
Facebook hacked in 'sophisticated attack'
– The Guardian, Feb 2013
Adobe Systems Reports Attack on Its Computer Network
– The Wall Street Journal, Oct 2013
Apple Hacked: Company Admits Development Website Was Breached
– Huffington Post, July 2013
Chinese hacking of US media is 'widespread phenomenon‘– Wired, Feb 2013
© 2013 IBM Corporation
IBM Security
3 IBM Confidential3 IBM Confidential IBM Security X-Force® 2011, 2012 Trend and Risk Report, IBM Security X-Force 2013 Mid Year Trend and Risk Report
© 2013 IBM Corporation
IBM Security
4 IBM Confidential4 IBM Confidential
What is Security Intelligence?
Security Intelligence
--noun
1.The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise.
2.A complete approach to defending an organization’s critical assets, intellectual property, and private data using advanced anomaly detection capabilities balanced with preventative risk and vulnerability management activities.
Delivers actionable and comprehensive insight for managing risks and combatting threats, from protection and detection
through remediation and mitigation
© 2013 IBM Corporation
IBM Security
5 IBM Confidential5 IBM Confidential
Security Intelligence & Business Intelligence offer insightful parallels
Managed Security Services
Mainframe and Server Security - RACF
SOA Security
Network Intrusion Prevention
Database Monitoring
Identity and Access Management
Application Security
Security as a Service
Compliance Management
Security IntelligenceIBM Security Intelligence
DASCOM
Enterprise Reporting
Performance Management Platform
Business Intelligence Suite
IOD Business Optimization
BI Convergence with Collaboration
Text & Social Media Analytics
Simplified Delivery (i.e., Cloud )
Predictive Analytics
Decision Management
BI Convergence with Security
IBM Business Intelligence
Ma
rke
t C
ha
ng
es
Time
© 2013 IBM Corporation
IBM Security Systems
66
Solutions for the full Security Intelligence timeline
Prediction & Prevention Reaction & Remediation
Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Leak Prevention. Security Information and Event Management.
Log Management. Incident Response.
Risk Management. Vulnerability Management. Configuration and Patch Management.
X-Force Research and Threat Intelligence. Compliance Management.Reporting and Scorecards.
What are the external and internal threats?
Are we configuredto protect against
these threats?
What is happening right now?
What was the impact?
© 2013 IBM Corporation
IBM Security Systems
77
Built upon common foundation of QRadar SIOS
Reporting Engine
Workflow Rules EngineReal-Time
Viewer
Analytics Engine
Warehouse Archival
Reporting API
Forensics API
LEEF AXIS Configuration NetFlow Offense
Security Intelligence Solutions
Security Intelligence Operating
System(SIOS)
Normalization
QRadar SIEM
QRadar Log Manager
QRadar Risk Manager
QRadar QFlow and
VFlow
QRadar Vulnerability
Manager
New
© 2013 IBM Corporation
IBM Security Systems
88
Taking in data from wide spectrum of feeds
© 2013 IBM Corporation
IBM Security Systems
99
And continually adding context for increased accuracy
Security Intelligence FeedsSecurity Intelligence Feeds
Internet ThreatsInternet ThreatsGeo LocationGeo Location Vulnerabilities Vulnerabilities
© 2013 IBM Corporation
IBM Security Systems
1010
Deployed upon scalable appliance architecture
Network and Application
Visibility
• Layer 7 application monitoring• Content capture for deep insight & forensics• Physical and virtual environments
• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow
SIEM
Network Activity & Anomaly Detection
• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM
• Turn-key log management and reporting• SME to Enterprise• Upgradeable to enterprise SIEM
Log Management
Scale
• Event Processors• Network Activity Processors• High Availability & Disaster Recovery• Stackable Expansion
• Network security configuration monitoring• Vulnerability scanning & prioritization• Predictive threat modeling & simulation
Configuration & Vulnerability Management
© 2013 IBM Corporation
IBM Security Systems
1111© 2013 IBM Corporation
Security Intelligence
Use Case Examples
© 2013 IBM Corporation
IBM Security Systems
1212
Overview of use cases
Detecting threats• Arm yourself with comprehensive security
intelligence
Consolidating data silos• Collect, correlate and report on data in one
integrated solution
Detecting insider fraud• Next-generation SIEM with identity correlation
Better predicting risks to your business• Full life cycle of compliance and risk management
for network and security infrastructures
Addressing regulation mandates• Automated data collection and configuration audits
© 2013 IBM Corporation
IBM Security Systems
1313
Challenge 1: Detecting Threats
Potential Botnet Detected?This is as far as traditional SIEM can go
IRC on port 80?IBM Security QRadar QFlow detects a covert channel
Irrefutable Botnet CommunicationLayer 7 flow data contains botnet command control instructions
Application layer flow analysis can detect threats others miss
© 2013 IBM Corporation
IBM Security Systems
1414
Challenge 2: Consolidating Data SilosAnalyzing both flow and event data. Only IBM Security QRadar fully utilizes Layer 7 flows.
Reducing big data to manageable volumes
Advanced correlation for analytics across silos
1153571 : 1Data Reduction Ratio
© 2013 IBM Corporation
IBM Security Systems
1515
Challenge 3: Detecting Insider Fraud
Who?An internal user
Potential Data LossWho? What? Where?
What?Oracle data
Where?Gmail
Threat detection in the post-perimeter worldUser anomaly detection and application level visibility are critical
to identify inside threats
© 2013 IBM Corporation
IBM Security Systems
1616
Challenge 4: Better Predicting Risks to Your BusinessAssess assets with high-risk input manipulation vulnerabilities
Which assets are affected?How should I prioritize them?
What are the details?Vulnerability details, ranked by risk score
How do I remediate the vulnerability?
Pre-exploit Security IntelligenceMonitor the network for configuration and compliance risks,
and prioritize them for mitigation
© 2013 IBM Corporation
IBM Security Systems
1717
Challenge 5: Addressing Regulatory Mandates
Unencrypted TrafficIBM Security QRadar QFlow saw a cleartext service running on the Accounting server
PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks
PCI compliance at risk?Real-time detection of possible violation
Compliance SimplifiedOut-of-the-box support for major compliance and regulatory standards
Automated reports, pre-defined correlation rules and dashboards
© 2013 IBM Corporation
IBM Security Systems
1818© 2013 IBM Corporation
Thank you
© 2013 IBM Corporation
IBM Security Systems
1919
Using fully integrated architecture and interface
• Turn-key log management and reporting• SME to Enterprise• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow
• Network security configuration monitoring• Vulnerability prioritization• Predictive threat modeling & simulation
SIEM
Log Management
Configuration & Vulnerability Management
Network Activity & Anomaly Detection
Network and Application
Visibility
• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM
• Layer 7 application monitoring• Content capture for deep insight & forensics• Physical and virtual environments
One Console Security
Built on a Single Data Architecture
© 2013 IBM Corporation
IBM Security Systems
2020
Employing automation to accelerate time-to-value, preserve currency
Simplified deployment delivers results in days Syslog device detection configures log data sources Passive flow asset detection populates asset
database Out-of-the-box rules and reports reduce incident
investigations and meet compliance mandates
Real time events keep information current Immediate discovery of network asset additions
triggers proactive vulnerability scans, configuration comparisons and policy compliance checks
Daily and weekly updates to rules, reports, vulnerabilities, patches, searches, support modules, protocols and signatures
© 2013 IBM Corporation
IBM Security Systems
2121
Log management products collect subset of available data Netflows enable visibility into attacker communications
Stored as aggregated, bi-directional records of IP addresses, ports, and protocols Offer advanced detection and forensics via flow pivoting, drill-down and data
mining
QFlow Collectors dig deeper, adding Layer 7 application insights
Differentiated by network flow analytics
© 2013 IBM Corporation
IBM Security Systems
2222
Including baselining and anomaly detection capabilities
Correlation of log and flow data creates profiles of user, application and data access patterns
Anomaly Detection uses multiple measurements to signal change Thresholds – above or below normal
range Anomaly – Detects appearance of
new objects Behavior – Reveals deviations from
established ‘seasonal’ patterns Large Window Small Window
5 Hours 1 Hour
© 2013 IBM Corporation
IBM Security Systems
2323
Strengthened by integrated vulnerability insights
QRadar Vulnerability Manager
Your Vulnerabilities
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
CVE CVECVECVECVECVECVE CVECVECVECVECVE
Patched
CriticalBlocked
Inactive
Exploited!
At risk!
Questions remain:•Has that been patched?•Has it been exploited? •Is it likely to be exploited ?•Does my firewall block it?•Does my IPS block it?•Does it matter?
Existing vulnerability management tools
Improves visibility– Intelligent, event-driven
scanning, asset discovery, asset profiling and more
Reduces data load
– Bringing rich context to Vulnerability Management
Breaks down silos– Leveraging all QRadar
integrations and data
– Unified vulnerability view across all products
Your Vulnerabilities
CVE CVECVECVECVE CVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVECVE CVE
CVE CVECVECVE CVE CVE CVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVE CVE CVE CVECVE CVECVE
CVE CVECVECVE CVECVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVE CVECVECVECVE
Your Vulnerabilities
CVE CVECVECVECVE CVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVECVE CVE
CVE CVECVECVE CVE CVE CVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVE CVE CVE CVECVE CVECVE
CVE CVECVECVE CVECVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVE CVECVECVECVE
Your Vulnerabilities
CVE CVECVECVECVE CVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVECVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVECVE CVE
CVE CVECVECVE CVE CVE CVE CVECVECVE CVECVE
CVE CVECVE CVECVE CVE CVE CVE CVECVE CVECVE
CVE CVECVECVE CVECVE CVE CVE CVECVECVECVE
CVE CVECVE CVECVE CVECVE CVECVECVE CVECVE
CVE CVECVE CVE CVECVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVECVECVE CVECVE
CVE CVECVECVE CVE CVE CVE CVE CVECVE CVECVE
CVE CVECVE CVECVECVE CVE CVE CVECVECVECVE
Answers delivered:•Real-time scanning•Early warning capabilities•Advanced pivoting and filtering
Security Intelligence Integration
© 2013 IBM Corporation
IBM Security
24 IBM Confidential24 IBM Confidential© 2013 IBM Corporation
Security Intelligence portfolio components
© 2013 IBM Corporation
IBM Security Systems
2525
Employs intuitive, browser-based UI
Presents customizable dashboards (work spaces) per user
Delivers real-time & historical visibility and reporting
QRadar Log Manager: Foundation for Security Intelligence
Provides easy to use rules engine with out-of-the-box security intelligence
Allows advanced data mining and drill down
Contains role-based access to information & functions
© 2013 IBM Corporation
IBM Security Systems
2626
Automatically discovers log sources simplifying deployment and speeding ROI
Performs distributed log collection, analysis, archival, searching and reporting that scales to any size network
Provides fast, free-text search and analysis of normalized data
Contains reliable, tamper-proof log storage for forensic investigations and evidentiary use
Includes compliance-driven report templates for regulatory reporting and auditing
Shares common architecture with QRadar SIEM for seamless upgrade
Establishes security capability to exceed compliance requirements
© 2013 IBM Corporation
IBM Security Systems
2727
Out-of-the-box templates for specific regulations and best practices:
- COBIT, SOX, GLBA, NERC, FISMA, PCI, HIPAA, UK GCSx
Easily modified to include new definitions
Extensible to include new regulations and best practices
Can leverage existing correlation rules
Best practices compliance rules and reports speed ROI
© 2013 IBM Corporation
IBM Security Systems
2828
QRadar SIEM: Command console for Security Intelligence
Provides full visibility and actionable insight to protect against advanced threats
Adds network flow capture and analysis for deep application insight
Employs sophisticated correlation of events, flows, assets, topologies, vulnerabilities and external data to identify & prioritize threats
Contains workflow management to fully track threats and ensure resolution
Uses scalable hardware, software and virtual appliance architecture to support the largest deployments
© 2013 IBM Corporation
IBM Security Systems
2929
Previous 24hr period of network and security activity
(2.7M logs)
QRadar correlation & analysis of data
creates ‘offenses’
Offenses include complete history of threat or violation with full context
including network, asset and user
identity information
Offenses further prioritized by
business impact
Data reduction and correlation analysis identify top threats
Focuses security teams and eliminates false positives Reduces millions/billions of events to dozens requiring further investigation
© 2013 IBM Corporation
IBM Security Systems
3030
QRadar judges “magnitude” of offenses:
1. Credibility:A false positive or true positive?
2. Severity:Alarm level contrasted with target vulnerability
3. Relevance: Priority according to asset or network value
Priorities can change over time based on situational awareness
Intelligent offense scoring further directs security team investigations
© 2013 IBM Corporation
IBM Security Systems
3131
Helps detect zero-day attacks that have no signature Enables policy monitoring and rogue server identification Provides visibility into all attacker communications Uses passive monitoring to build asset profiles and classify hosts Improves network visibility and helps resolve traffic problems
Flows provide context for true network intelligence
© 2013 IBM Corporation
IBM Security Systems
3232
QRadar Risk Manager: Visualize network, configurations and risks
Depicts network topology views and helps visualize current and alternative network traffic patterns
Identifies active attack paths and assets at risk of exploit
Collects network device configuration data to assess vulnerabilities and facilitate analysis and reporting
Discovers firewall configuration errors and improves performance by eliminating ineffective rules
Analyzes policy compliance for network traffic, topology and vulnerability exposures
© 2013 IBM Corporation
IBM Security Systems
3333
Fully integrated risk management solution
Compiles comprehensive risk assessments covering network usage, configuration data, vulnerability posture, and current threat environment
Provides powerful, visualizations of network usage and attack paths simplifying risk and incident response actions
Simplifies configuration change comparisons and alerts users to risky or out-of-compliance configurations
Improves consistency of firewall rules, including detection of shadowed rules and other configuration errors
Delivers reduced total cost of ownership through product consolidation
© 2013 IBM Corporation
IBM Security Systems
3434
Connections view shows and records network traffic activity
Drastically reduces time required to conduct offense forensics Correlates events and flows with source and destination IPs Identifies active vs. inactive applications and associated hosts Enables connection searches between hosts and networks using specific protocols and
applications or traffic analysis to/from specific geo regions
© 2013 IBM Corporation
IBM Security Systems
3535
Investigating offense attack path
Clicking ‘attack path’ button for an offense performs search showing precise path (and all permutations) between involved source and destination IPs
Firewall rules enabling the attack path can then be quickly analyzed to understand the exposure
Allows “virtual patch” to be applied by quickly showing which firewall rules may be changed to immediately shut down attack path—before patching or other configuration changes can typically be implemented
© 2013 IBM Corporation
IBM Security Systems
3636
QRadar Vulnerability Manager: Scan, assess and remediate vulnerabilities
Employs embedded, well proven, scalable, PCI-certified scanner
Provides complete vulnerability view including 3rd party vulnerability system data feeds
Supports exception and remediation processes with seamlessly integrated reporting and dash boarding
Leverages QRadar log and flow collectors and processors to conduct scans
Includes hosted external scanning service
Tracks National Vulnerability Database (CVE) and detects 70,000+ vulnerabilities
© 2013 IBM Corporation
IBM Security Systems
3737
Fully integrated vulnerability management solution
Analyses data stored in QRadar asset model database, so includes all vulnerability sources
Displays vulnerability posture by asset, network, open service, vulnerability type and vulnerability instances
Provides powerful filtering & pivoting functionality similar to flow and event viewer Offers saved searches, quick searches and a Google’esq quick filter
© 2013 IBM Corporation
IBM Security Systems
3838
QVM enables customers to interpret ‘sea’ of vulnerabilities
CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVECVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE
Inactive
Inactive: QFlow Collector data helps QRadar Vulnerability Manager sense application activity Blocked
Blocked: QRadar Risk Manager helps QVM understand which vulnerabilities are blocked by firewalls and IPSs
PatchedPatched: IBM Endpoint Manager helps QVM understand which vulnerabilities will be patched
Critcal
Critical: Vulnerability knowledge base, remediation flow and QRM policies inform QVM about business critical vulnerabilities
At Risk: X-Force Threat and SIEM security incident data, coupled with QFlow network traffic visibility, help QVM see assets communicating with potential threats
At Risk! Exploited!
Exploited: SIEM correlation and IPS data help QVM reveal which vulnerabilities have been exploited
© 2013 IBM Corporation
IBM Security Systems
3939© 2013 IBM Corporation
Security Intelligence
platform summary
© 2013 IBM Corporation
IBM Security Systems
4040
Continued journey towards Total Security Intelligence
© 2013 IBM Corporation
IBM Security Systems
4141
Upgrade Log Manager to QRadar SIEM – Additional security telemetry data
– Rules-based correlation analysis engine
– Data overload reduction ‘magic’ compressing millions or even billions of daily raw events to manageable list of issues
Add QRadar Risk Manager – Enables pre-exploit configuration investigations
– Simplifies security policy reviews for compliance tests
– Provides network topology depictions and permits attack simulations
Implement QRadar Vulnerability Manager – Extends pre-exploit analysis activities by adding integrated,
vulnerability insights
– Reduces magnitude of pre-exploit conditions as QRadar SIEM does for post-exploit conditions
– Helps identify and measure exposures to external threats
Inject IBM X-Force Threat Research Intelligence– Provides intelligence feed to QRadar
– Includes vulnerabilities, IP reputations, malware reports and attack histories
QRadar Security Intelligence customer roadmap
© 2013 IBM Corporation
IBM Security Systems
4242
QRadar’s unique advantages
Scalability for largest deployments, using an embedded database and unified data architecture Impact: QRadar supports your business needs at any scale
Real-time correlation and anomaly detection based on broadest set of contextual data Impact: More accurate threat detection, in real-time
Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more Impact: Reduced manual effort, fast time to value, lower-cost operation
Integrated flow analytics with Layer 7 content (application) visibility Impact: Superior situational awareness and threat identification
Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards Impact: Maximum insight, business agility and lower cost of ownership
© 2013 IBM Corporation
IBM Security Systems
4343
Learn more about IBM QRadar Security Intelligence
Watch executive Interview Video with Steve Robinson (VP)Watch executive Interview Video with Steve Robinson (VP)
Visit our WebsiteVisit our Website
Review latest solution announcement Review latest solution announcement
Read new blog posts: securityintelligence.comRead new blog posts: securityintelligence.com
Follow us on Twitter: @q1labs @ibmsecurity
© 2013 IBM Corporation
IBM Security Systems
4444
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
© 2013 IBM Corporation
IBM Security Systems
4545
Case study: An international energy company reduces billions of events per day to find those that should be investigated
An international energy firm analyzes
Business challenge:Reducing huge number of events to find the ones that need to be investigatedAutomating the process of analyzing security data
Solution: (QRadar SIEM, QFlow, Risk Manager)
Real-time correlation of hundreds of data sources, anomaly detection to help identify “low and slow” threats, flexibility for easy customization and expansion
potential offences to investigate
20 – 25events per day to find
2,000,000,000
Optimize threat analysis
© 2013 IBM Corporation
IBM Security Systems
4646
Case Study: A financial information provider hardens defenses against threats and fraud
Business challenge:Detect wide range of security threats affecting public-facing Web applicationsHelp identify subtle changes in user behavior that could indicate fraud or misuseExceed ISO 27001 standard
Solution: (QRadar SIEM, QFlow, X-Force, Network IPS)
Combine analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover patterns of unusual activity humans miss and immediately block suspected traffic
Saved 50-80% on staffing vs. alternative solutions
Tracks 250 activity baselines dynamically adjusted over time
Optimize risk management
© 2013 IBM Corporation
IBM Security Systems
4747
Case Study: Financial services firm uses real-time analysis to defend against rising DDoS attacks
Canadian-based international financial services firm analyzes
potential offences to investigate
30events per day to find
30,000,000
Business challenge:Dealing with 500% increase in cyber threats and a 527% increase in denial of service attacks in the past two yearsGaining 24x7 visibility without hiring additional analysts
Solution: (QRadar SIEM, QFlow, Risk Manager, X-Force, IPS)
Real-time correlation, anomaly detection and X-Force Intelligence to help improve visibility and generate more than 50% in annual licensing and maintenance costs
Optimize staff resources
© 2013 IBM Corporation
IBM Security Systems
4848
Case Study: A credit card firm simplifies complexity, reduces costs and optimizes resources
Business challenge:8-year old SIEM technology did not provide visibility into and protection from current threatsHigh cost of tuning and maintenance of incumbent SIEM product
Solution: (QRadar SIEM)
Advanced security analytics engine for real-time threat detection and analysis and scalable architecture to meet client’s large data and infrastructure requirements
50% reduction in cost of deployment, tuning and maintenance vs. competitor
Optimize security ROI
© 2013 IBM Corporation
IBM Security Systems
4949
Case Study: Growth markets payments processor achieves PCI compliance / exceeds regulatory mandates
Business challenge:Protect client data at the heart of this businessPCI compliance for processing of >$25 billion in annual transactionsRapidly implement proven solution, 0 tolerance for delays or errors
Solution: (QRadar SIEM, IBM Security Network IPS)Integrated solution to provide visibility into PCI and data exposure risks with expert implementation services helping client pass PCI audit four weeks after purchase
Global electronic payments firm operates in 32 countries and processes over 2 billion transactions per year
Re-engineer profitable growth