visión 360º seguridad inteligente ibm qradar security intelligence
TRANSCRIPT
Visión 360º Seguridad InteligenteIBM QRadar Security Intelligence
© 2014 IBM Corporation
IBM Security Systems
2
IBM Security: Delivering intelligence, integration and expertise across a comprehensive framework
Intelligence ● Integration ● ExpertiseIntelligence ● Integration ● Expertise
� Only vendor in the market with end-to-
end coverage of the security foundation
� 6K+ security engineers and consultants
� Award-winning X-Force® research
� Largest vulnerability database in the
industry
© 2014 IBM Corporation
IBM Security Systems
3
What is Security Intelligence?
Security Intelligence
--noun
A methodology of analyzing millions and billions of security, network and application records across the organization’s entire
network in order to gain insight into what is actually happening
in that digital world.
--verb
Combining internal, locally collected security intelligence, with
external intelligence feeds for the application of correlation rules
to reduce huge volumes of data into a handful of high
probability ‘offense’ records requiring immediate investigation to prevent or minimize the impact of security incidents
Delivers actionable, comprehensive insight for managing risks, combatting threats, and meeting compliance mandates.
© 2014 IBM Corporation
IBM Security Systems
4
IBM Security Intelligente QRadar
• There is no other Security Intelligence platform in the market today that combines the capabilities of SIEM, Network Activity Monitoring, Risk Management, Vulnerability Management and now Network Forensics into a single integrated platform.
•QRadar clients realize a quicker return on their investments due to the automatic detection of log event sources and network assets
•Relatively straightforward to deploy and maintain across a wide range of deployment scales.
•QRadar is a good fit for midsize and large enterprises that need general SIEM capabilities and also for use cases that require behavior analysis and NetFlow analysis.
•A distinguishing characteristic is the collection and processing of NetFlow data, deep packet inspection (DPI) and behavior analysis for all supported event sources.
© 2014 IBM Corporation
IBM Security Systems
5
Overview of use cases
Detecting threats
• Arm yourself with comprehensive security intelligence
Consolidating data silos
• Collect, correlate and report on data in one integrated solution
Detecting insider fraud
• Next-generation SIEM with identity correlation
Better predicting risks to your business
• Full life cycle of compliance and risk management for network and security infrastructures
Addressing regulation mandates
• Automated data collection and configuration audits
© 2014 IBM Corporation
IBM Security Systems
6
Solutions for the full Security Intelligence timeline
Prediction & Prevention Reaction & Remediation
Network and Host Intrusion Prevention.
Network Anomaly Detection. Packet Forensics.
Database Activity Monitoring. Data Leak Prevention.
Security Information and Event Management.
Log Management. Incident Response.
Risk Management. Vulnerability Management.
Configuration and Patch Management.
X-Force Research and Threat Intelligence.
Compliance Management.
Reporting and Scorecards.
What are the external and internal threats?
Are we configuredto protect against
these threats?
What is happening right now?
What was the impact?
© 2014 IBM Corporation
IBM Security Systems
7
IBM QRadar Security Intelligence Platform
Providing actionable intelligence
IBM QRadarSecurity Intelligence
Platform
AUTOMATEDDriving simplicity and
accelerating time-to-value
INTEGRATEDUnified architecture delivered in a single console
INTELLIGENTCorrelation, analysis and massive data reduction
© 2014 IBM Corporation
IBM Security Systems
8
Embedded intelligence offers automated offense identificationINTELLIGENT
SuspectedIncidentsServers and mainframesServers and mainframes
Data activityData activity
Network and virtual activityNetwork and virtual activity
Application activityApplication activity
Configuration informationConfiguration information
Security devicesSecurity devices
Users and identitiesUsers and identities
Vulnerabilities and threatsVulnerabilities and threats
Global threat intelligenceGlobal threat intelligence
AutomatedOffenseIdentification
• Unlimited data collection, storage and analysis
• Built in data classification
• Automatic asset, service and user discovery and profiling
• Real-time correlation and threat intelligence
• Activity baselining and anomaly detection
• Detects incidentsof the box
Embedded Intelligence
Prioritized Incidents
© 2014 IBM Corporation
IBM Security Systems
9
Integration with IBM Security zSecure
RACF CA ACF2 CA Top Secretz/OS CICS DB2
Event sources from System z . . .
© 2014 IBM Corporation
IBM Security Systems
10
What was the attack?
Who was responsible?
How many targets involved?
Was it successful?
Where do I find them?
Are any of them vulnerable?
QRadar integrates data to answer the important questions
How valuable are the targets to the business?
Where is all the evidence?
© 2014 IBM Corporation
IBM Security Systems
11
Optimized appliance and software architecture for high performance and rapid deployment
IBM QRadarSecurity Intelligence Platform
• Easy-to-deploy, scalable
model using stackable
distributed appliances
• Does not require
third-party databases
or storage
Scalable appliance architecture
• Offers automatic
failover and
disaster recovery
• Virtual deployments
well suited for cloud
environments
Shared modular infrastructure
© 2014 IBM Corporation
IBM Security Systems
12
Delivering multiple security capabilities through a purpose-built, extensible platform
Southbound APIs
Northbound APIs
IBM QRadar Security Intelligence Platform
Real Time Structured Security Data Unstructured Operational / Security Data
LEEF AXIS Configuration NetFlow Offense
Security Intelligence
Operating System
Reporting Engine Workflow Rules Engine Real-Time Viewer
Analytics Engine
Warehouse Archival
Normalization
LogManagement
Security Intelligence
Network Activity
Monitoring
RiskManagement
Vulnerability Management
Network Forensics
Future
AUTOMATED
© 2014 IBM Corporation
IBM Security Systems
13
Automated:No need for additional staff
Analyze
Act
Monitor
Auto-discovery of log sources, applications and assets
Asset auto-grouping
Centralized log mgmt
Automated configuration audits
Auto-tuning
Auto-detect threats
Thousands of pre-defined rules and role based reports
Easy-to-use event filtering
Advanced security analytics
Asset-based prioritization
Auto-update of threats
Auto-response
Directed remediation
© 2014 IBM Corporation
IBM Security Systems
14
Deployed upon scalable appliance/software/virtual architecture
Network and Application
Visibility
• Layer 7 application monitoring
• Content capture for deep insight & forensics
• Physical and virtual environments
• Log, flow, vulnerability & identity correlation
• Sophisticated asset profiling
• Offense management and workflow
SIEM
• Turn-key log management and reporting
• SME to Enterprise
• Upgradeable to enterprise SIEM
Log Management
Scalability• Event Processors for remote site
• High Availability & Disaster Recovery
• Data Node to increase storage & performance
• Network security configuration monitoring
• Vulnerability scanning & prioritization
• Predictive threat modeling & simulation
Risk & Vulnerability Management
Network Forensics
• Reconstructs network sessions from PCAPs
• Data pivoting and visualization tools
• Accelerated clarity around who, what, whenIncident Forensics
© 2014 IBM Corporation
IBM Security Systems
15
An integrated, unified architecture in a single web-based console
LogManagement
Security Intelligence
Network Activity
Monitoring
RiskManagement
Vulnerability Management
Network Forensics
INTEGRATED
© 2014 IBM Corporation16
Architecture
© 2014 IBM Corporation
IBM Security Systems
17
QRadar Console
QRadar Web Console
18xx
Combo Processor
16xx
Event Processor
17xx
Flow Processor
16xx
Event Processor
QFlow Collector
Layer 7
Scanning
QRadar Vulnerability Manager
Complete Vulnerability Context and Visibility
QRadar Risk Manager -network topology visualization and path
analysis and configuration monitoring,
15XXEvent Collector
14XXData Node
QRadar Forensics and PCAP Capture
QRadar AIO
© 2014 IBM Corporation18
Integrations
© 2014 IBM Corporation
IBM Security Systems
19
Expand the value of security solutions through integration
Integrated intelligenceCorrelate and analyze siloed information from hundreds of sources to automatically detect and respond to threats
Integrated protectionEnhance security with security solutions that interact across domains to provide cohesive, easy to manage protection
Integrated researchIncorporate the latest information on vulnerabilities, exploits and malware into intelligent security solutions across domains
© 2014 IBM Corporation
IBM Security Systems
20
Endpoint Management
vulnerabilities enrich QRadar’s vulnerability database
AppScan Enterprise
AppScan vulnerability results feed QRadar SIEM for improved
asset risk assessment
Tivoli Endpoint Manager
Guardium Identity and Access Management
IBM Security Network, Host, and User Segment Protection
Critical protocol analysis;
Blocking of policy violations;
Flow data sent for activity monitoring
Identity context for all security domains w/ QRadar as the dashboard
Database assets, rule logic and database activity information
Correlate new threats based on X-Force IP reputation feeds
Hundreds of 3rd party information sources
SiteProtector
QRadar integrated with numerous IBM Security Solutions
© 2014 IBM Corporation
IBM Security Systems
21
QRadar’s unique advantages
� Scalability for largest deployments, using an embedded database and unified data architecture
� Impact: QRadar supports your business needs at any scale
� Real-time correlation and anomaly detection based on broadest set of contextual data
� Impact: More accurate threat detection, in real-time
� Intelligent automation of data collection, asset discovery, asset profiling, vulnerability scanning and more
� Impact: Reduced manual effort, fast time to value, lower-cost operation
� Integrated flow analytics with Layer 7 content (application) visibility
� Impact: Superior situational awareness and threat identification
� Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards
� Impact: Maximum insight, business agility and lower cost of ownership
© 2013 IBM Corporation
IBM Security Systems
22
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.