IBM Security Intelligence Platform Franc Červan

IBM Security Systems
IBM Security Intelligence Platform with

Identity Management and Single Sign-On
Franc Červan (franc.cervan@si.ibm.com)

IBM CEE Security technical sales
©
1 2013 IBM Corporation © 2013 IBM Corporation
Nobody is immune. There is no end in sight.
2011 Sampling of Security Incidents by Attack Type, Time and Impact
Attack Type
Online
SQL Injection Gaming
URL Tampering Gaming Central
IT
Government
Spear Phishing Security
Online
Gaming
3rd Party Software Enter- Defense Central
tainment Govt Consumer Central
Electronics Government Online
DDoS Banking Services
Consulting Online
SecureID Banking Online Online Services
Marketing National Gaming Heavy Gaming Gaming
Trojan Software Police Industry
Services Consulting
Unknown Internet
Services Entertainment
Defense Online Online
Consumer Gaming Gaming
IT Electronics Police
Insurance
Security Entertainment
Central
Agriculture
Government Apparel
State Central Government
Police Financial Government Consulting
IT Defense Market
Security Central
Gaming Central
Consumer Govt Tele- Internet Govt Central
Electronics communicat Services Government
Central State ions
Size of circle estimates relative impact of breach in Government Police
terms of cost to business Online
Defense Gaming
National
Central Central Police Consumer
Government Government Electronics
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Source: IBM X-Force® Research 2011 Trend and Risk Report
5 © 2013 IBM Corporation

Customer Challenges
Detecting threats
Arm yourself with comprehensive security intelligence
Consolidating data silos

Collect, correlate and report on data in one integrated
solution
Detecting insider fraud

Next-generation SIEM with identity correlation
Better predicting risks to your business
Full life cycle of compliance and risk management for
network and security infrastructures
Addressing regulation mandates

Automated data collection and configuration audits

Solving Customer Challenges
Major • Discovered 500 hosts with “Here You

Electric Detecting threats Have” virus, which other solutions
Utility missed
Fortune 5 • 2 Billion logs and events per day reduced

Energy Consolidating data silos to 25 high priority offenses
Company
Branded • Trusted insider stealing and destroying

Apparel Detecting insider fraud key data
Maker
$100B • Automating the policy monitoring and

Predicting risks against evaluation process for configuration
Diversified
your business change in the infrastructure
Corporation
• Real-time extensive monitoring of

Industrial Addressing regulatory network activity, in addition to PCI
Distributor mandates mandates

QRadar Security Intelligence Platform
10
Solutions for the Full Compliance and Security Intelligence Timeline
Are we configured What is

What are the external What was the
to protect against happening
and internal threats? impact?
these threats? right now?
Prediction & Prevention Reaction & Remediation

Risk Management. Vulnerability Management. SIEM. Log Management. Incident Response.
Configuration Monitoring. Patch Management. Network and Host Intrusion Prevention.
X-Force Research and Threat Intelligence. Network Anomaly Detection. Packet Forensics.
Compliance Management. Reporting and Scorecards. Database Activity Monitoring. Data Loss Prevention.

Fully Integrated Security Intelligence
• Turn-key log management and reporting

Log
• SME to Enterprise
Management
• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation

SIEM • Sophisticated asset profiling
• Offense management and workflow
Configuration • Network security configuration monitoring

& Vulnerability • Vulnerability prioritization
Management • Predictive threat modeling & simulation
Network
• Network analytics
Activity &
• Behavioral anomaly detection
Anomaly
• Fully integrated in SIEM
Detection
Network and • Layer 7 application monitoring

Application • Content capture for deep insight & forensics
Visibility • Physical and virtual environments

Fully Integrated Security Intelligence
• Turn-key log management and reporting

Log
• SME to Enterprise
Management
One Console Security
• Upgradeable to enterprise SIEM
• Log, flow, vulnerability & identity correlation

SIEM • Sophisticated asset profiling
• Offense management and workflow
Configuration • Network security configuration monitoring

& Vulnerability • Vulnerability prioritization
Management • Predictive threat modeling & simulation
Network
• Network analytics
Activity &
• Behavioral anomaly detection
Anomaly
• Fully integrated in SIEM
Detection
Network and • Layer 7 application monitoring

Application
Visibility
Built on a Single Data Architecture
• Content capture for deep insight & forensics
• Physical and virtual environments

Security Intelligence: QRadar provides in-depth security visibility

IBM X-Force® Threat Real-time Security Threats
Information Center and Prioritized ‘Offenses’
Identity and Inbound

Real-time Network Visualization
User Context Security Events
and Application Statistics
Qradar: Clear, concise and comprehensive delivery of relevant info
What was the

attack?
Was it
Who was successful?
responsible?
Where do I
find them? How valuable are
How many the targets to the
targets business?
involved?
Are any of them

vulnerable?
Where is all the

evidence?

Major • Discovered 500 hosts with “Here You

Electric Detecting threats Have” virus, which other solutions
Utility missed
Potential
Potential Botnet
Botnet Detected?
Detected?
This
This is
is as
as far
far as
as traditional
traditional SIEM
SIEM
can go
can go
IRC
IRC on
on port
port 80?
80?
IBM
IBM Security
Security QRadar
QRadar QFlow
QFlow
detects
detects a
a covert
covert channel
channel
Irrefutable
Irrefutable Botnet
Botnet Communication
Communication
Layer
Layer 7
7 flow
flow data
data contains
contains botnet
botnet
command control instructions
command control instructions
Application
Application layer
layer flow
flow analysis
analysis can
can detect
detect threats
threats others
others miss
miss
Fortune 5 • 2 Billion logs and events per day reduced

Energy Consolidating data silos to 25 high priority offenses
Company
QRadar judges “magnitude” of offenses:

• Credibility:
A false positive or true positive?
• Severity:
Alarm level contrasted
with target vulnerability
• Relevance:
Priority according to asset or
network value
Priorities can change over time
based on situational awareness
Exceptionally Accurate
Extensive Data Sources + Deep Intelligence = and Actionable Insight
Branded • Trusted insider stealing and destroying

Apparel Detecting insider fraud key data
Maker
Potential Data Loss

Who?
Who? What?
What? Where?
Where?
Who?
An
An internal
internal user
user
What?
Oracle
Oracle data
data
Where?
Gmail
Gmail
Threat detection in the post-perimeter world

User anomaly detection and application level visibility are critical
to identify inside threats
$100B • Automating the policy monitoring and

Predicting risks against evaluation process for configuration
Diversified
your business change in the infrastructure
Corporation
Which assets are affected?

How
How should
should II prioritize
prioritize them?
them?
What are the details?

Vulnerability
Vulnerability details,
details,
ranked
ranked by
by risk
risk score
score
How do I remediate the

vulnerability?
Pre-exploit Security Intelligence

Monitor the network for configuration and compliance risks,
and prioritize them for mitigation
• Real-time extensive monitoring of

Industrial Addressing regulatory network activity, in addition to PCI
Distributor mandates mandates
PCI compliance at
risk?
Real-time
Real-time detection
detection of
of
possible violation
possible violation
Unencrypted Traffic
IBM
IBM Security
Security QRadar
QRadar QFlow
QFlow saw
saw aa cleartext
cleartext service
service running
running on
on the
the Accounting
Accounting server
server
PCI Requirement
PCI Requirement 44 states: Encrypt
states: Encrypt transmission
transmission of
of cardholder
cardholder data
data across
across open,
open,
public
public networks
networks
Compliance Simplified
Out-of-the-box
Out-of-the-box support
support for
for major
major compliance
compliance and
and regulatory
regulatory standards
standards
Automated
Automated reports,
reports, pre-defined
pre-defined correlation
correlation rules
rules and
and dashboards
dashboards
Security intelligence at work: SIEM in action
Security Devices
Security Devices
Servers & Mainframes
Network & Virtual Activity
Data Activity
Application Activity
Configuration Info
Vulnerability & Threat
User Activity
2 Bn security records per day 25 security offenses per day
• Reliable, secure and scalable log data storage

• Advanced security data correlation turning data into information
• Advanced and easy to use rule based security event correlation engine to extract
the real security offenses

Threat Protection & QRadar improve your visibility and prevention
 Networks Attacks, audits, status events

 Servers
Security Devices
Security Devices and vulnerabilities from
 Endpoints
 Applications
SiteProtector & IPS
 Scanners
Event
Correlation
Data Activity Offense
Identification
Activity Baselining &
Configuration Info Anomaly Detection
User Activity
Deep Exceptionally Accurate and

Extensive Data Sources + Intelligence = Actionable Insight
• Helps find threats other SIEMs might miss by combining Network Protection’s Protocol Analysis
Module signature analysis and QRadar’s anomaly detection capabilities
• Enables immediate real-time threat awareness and powerful threat and offense prioritization
capabilities to establish definitive evidence of attack and visibility into all attacker
communications
• Integrates X-Force security content
• Outstanding coverage available within full SIEM solution or targeted Network Anomaly
Detection offering
zSecure & QRadar adds protection for mainframe environments

Alerts, unauthorized log-ins, policy
Security Devices violations, configuration changes, etc.
 System z
from zSecure Alert & zSecure Audit
 RACF
Servers
Servers&&Mainframes
Hosts
 ACF2, Top
Secret
Event
 CICS Correlation
 DB2 Data Activity Offense
Identification
User Activity

• Centralizes enterprise security view allowing identification and remediation of excess

mainframe access, threats and concerns
• Strengthens mainframe security operations and helps improve protection for critical mainframe
environment
• Triggers complex correlation of threats, insider fraud and business risk as easy to understand
“offenses” for further investigation and follow-ups
• Stores event data in forensically secure database to address regulation mandates
25
• Improves compliance reporting by simplifying audit and management efforts © 2013 IBM Corporation
InfoSphere Guardium & QRadar protect your most sensitive data
Security Devices

Event
 Databases Correlation
 Data
Warehouses
Data Activity
Database Activity Offense
 Hadoop based
Identification
systems Activity Baselining &
 File shares

In-depth data activity monitoring
User Activity and security insights from
InfoSphere Guardium

• Detects anomalistic behavior and malicious access to sensitive data

• Focuses customers on key data access events coming from InfoSphere Guardium
while saving operational costs by not transmitting and storing insignificant events
• Provides broader, enterprise network security context for InfoSphere Guardium
alerts and events helping identify advanced threats
• Improves compliance reporting with automated data access reports

Guardium and QRadar (Data Security Integration)
Guardium Database
Monitoring & Vulnerability Enhanced data protection:
Assessment  Correlation with database activity
– Collects and categorizes Guardium
events for easy searching, reporting
and correlation with other data
– Correlates database activity with
QRadar network activity to detect
anomalous and suspicious behavior.
For example: Alert is issued when
multiple failed logins to a database
server are followed by a successful
• Guardium logs • Identified Risk
• Database Vulnerability
login and accessing of credit card
tables, then followed by an FTP
upload to a questionable external
site.
 Database vulnerability sharing
– Pulls database vulnerability data
from Guardium into QRadar Asset
Profiles to get more complete asset
data for databases.

AppScan & QRadar improve threat detection accuracy
Security Devices

Event
Correlation
 Web applications Data Activity Offense
 Mobile applications
Identification
 Web services Activity Baselining &
 Desktop
applications
Application vulnerability
User Activity assessments from AppScan

• Strengthens threat detection and offense scoring capabilities

• Correlates known application vulnerabilities with other real-time events and
alerts to elevate meaningful offenses
• Enhances proactive risk management assessments by prioritizing critical
application vulnerabilities

AppScan and QRadar (Application Security Integration)
AppScan Enterprise
Web client
Promoting use of vulnerability :
AppScan  Application vulnerability sharing
Enterprise
Server – QRadar imports application
vulnerability data published by
AppScan on a regular basis.
AppScan Standard
(DAST desktop client)
– QRadar shows vulnerability details
on Asset Profile (V7.1)
AppScan Source
(SAST desktop client)  Correlation and alert
AppScan Enterprise Dynamic Analysis – Enables QRadar to correlate
Scanners (server-based DAST) network and event activity with
application vulnerability, helping
determine the priority (ranks) of the
• Application • Identified Risk offenses and assess potential impact
Vulnerability
of the attack.
– initiate scanning from qradar
– Sends alerts to AppScan
administrators

Endpoint Manager & QRadar tighten endpoint security

Security Devices

Event
Correlation
 Application Activity
Identification
Servers
 Clients
 Mobile devices Configuration
Configuration Info
Info Anomaly Detection
 POS, ATM, Kiosks
Threat Intelligence
Endpoint intelligence data
User Activity from Endpoint Manager

• Increases vulnerability database accuracy improving offense and risk analytics to limit potential
offenses
• Establishes baseline for endpoint states and improves alerting on variations to detect threats
other SIEMs might miss
• Speeds remediation of discovered offenses using Endpoint Manager automation
• Represents AV/DLP alerts within consolidated enterprise security view helping correlate
advanced threat activities
• Improves compliance reporting with deep endpoint state data
Tivoli Endpoint Manager and QRadar (Endpoint Security Integration)

Tivoli Endpoint Manager
Network & Endpoint Security Combined:
 TEM  QRadar
Report Publish – TEM forwards endpoint Fixlet (policy) status
messages to QRadar for correlation. (Shipping)
– TEM exports endpoint configuration and
Enforce Evaluate vulnerability data to QRadar to increase coverage
and accuracy of QRadar asset profiles.
 QRadar  TEM
– QRadar exports network asset data to TEM,
allowing complete reporting on network devices.
• Fixlet status • Network asset – QRM correlates assets, vulnerabilities,
• data configuration and network activities to identify
Configuration • Identified Risk risky endpoints and export them as a group to
• Vulnerability TEM for high priority analysis and remediation
 Bidirectional
– Closed-loop remediation workflows: QRadar
detects vulnerable systems, forwards to TEM;
TEM executes remediation and sends update
back to QRadar.

Identity & Access Management products & QRadar uncover malicious behaviors
Security Devices

Event
Correlation
Identification

 User log-ins Identity information and user
 Access rights User Activity
User Activity activity from IAM products
 Group memberships

• Provides ability to insert user names into reference sets used for writing
searches, reports, and rules
• Improves ability to defend against insider threats involving privilege escalations
or inappropriate data access
• Facilitates compliance reporting by pairing user identities with access to
sensitive data

IAM and QRadar (Identity Security Integration)
Security Identity
Applications
Identity enriched security intelligence:
Manager  Technical features
Databases
– Retrieves user identity data including ID

Operating
mapping (from an enterprise ID to multiple
Systems application user IDs) and user attributes
(groups, roles, departments, entitlements).
Networks &
Physical Access – Queries data (events, flows, offenses, assets)
Identity relative to an enterprise user ID and mapped
Repository application user IDs
– Selects user identities for easy creation of
correlation rules
• Identity mapping data
and user attributes – Reports on all the activities (using different
• SIM/SAM Server logs appliance user IDs) of an enterprise user
• Application logs
 Use cases
– Privileged user activity monitoring
– Terminated employee access detection
– Separation of duty violation detection
– User account recertification
– Ensuring appropriate access control setting
– Backdoor access detection

Identity Management
40 © 2012
2013 IBM Corporation
Identity Management
WHO has ACCESS to WHAT

and WHY??
People Policy Resources

The Who in Identity Management
Who Users people who need access to resources.
Users can be internal or external to the organization.

Jane Doe’s
 Employees HR information
 Student
 Customers
HR System
 Business Partners Name: Jane Doe
 Citizens Dept: Accounting
Manager: John Smith
Address: 10 Main St.
Tel. No: 555-1212
Bus Role: Benefits Administrator

The What in Identity Management

What Accounts give people access to resources.
Examples of Resources: UNIX: jdoe
Operating Systems UNIX, Windows

Databases DB2, Oracle
Applications SAP, Lotus Notes
Directories Active Directory
AD: janedoe
The user account generally consists of:
• A userid
• Password grant initial access
• Group or role assignments RACF:
grant access/privileges jd044595

How is Access granted … and Why
People - who Policy Resources- what
 Policy defines who can access resources.
 Policy is made up of membership and entitlements

 Workflow and Approvals define the business process and ensure that the right
people are given the right access.
 Policy Membership can be defined through Roles
Business Roles – collections of users by job function
Application Roles – collection of resources or entitlements.
 Membership - Individual vs Group

Examples of group Membership: Active Directory group policies, SAP
authorizations

IBM Security Identity Manager (ISIM)
Roles / Requests

IBM Security Identity Manager – How it works

Automates, audits, and remediates user access rights across your IT infrastructure
Identity Access
Approvals Accounts • Reduce Cost
change policy
gathered updated Cost
(add/del/mod) evaluated
• Self-service
password reset
Detect and correct local privilege settings
• Automated user
Accounts on 70 different types
Accounts on 70 different types
of systems managed. Plus, In- provisioning
of systems managed. Plus, In-
House Systems & portals
House Systems & portals
Applications • Simplify
Tivoli Identity Manager
Complexity Complexity
Databases • Consistent security
policy
Operating
• Quickly integrate
Systems new users & apps
Networks &
Physical Access • Address
HR Systems/
Identity Stores Compliance Compliance
• Closed-loop
provisioning
• Know the people behind • Automate user privileges
• Access rights
the accounts and why they lifecycle across entire IT audit & reports
have the access they do infrastructure
• Fix non-compliant accounts • Match your workflow processes
ISIM - Workflow
NEW EMPLOYEE PROCESS
Notification
WORKFLOW
Application Reminder
Owner
Approvers
Notification
John Smith
Sending
Request
Manager
Automatic permission
Acceptance termination
HR
System
Position
HR
Automatic permission
Delay
grant

ISIM – Role vs Request based access control

Investments
Ongoing
User Initiates Operational
Publish
Access Labor
Service
Catalog Request
Approvals Access Periodic
Gathered Provisioned Recertification
Major Changes Access Auto Recertify

Define Coarse
Automated, Provisioned, Exceptions
Roles Plus
Minor Ones Approvals for Only
Optional Access
Requested Exceptions
Automatic
Define Role Based Update to User Provisioning
Access Control Attribute Initiates and Rights Policy
Model & Policies Access Change Verification Design

ISIM – Compliance
Reconciliation R
1
E
Who has access to what? Identify L AN MATCH? A
EP L
orphan and dormant accounts – big TH I
T
security exposures! Y
Recertification
2 Does this user still need this account

or access entitlement? Establish an
automated process for review and
enforcement.
3
Reporting
Prove it. Show auditors who has
access to what and how they got it.

ISIM – Reporting
 Sample Operational Reports
– Orphan Accounts Report
– Dormant Accounts Report
– Recertification Change History Report
– Pending Recertification Report
– Recertification Policies Report
– Individual Access Report
– Access Report

Solving the Privileged Identity Management problem requires

going beyond traditional approaches:
Each administrator has a User ID Administrators share

on every system privileged User IDs
User
User ID
ID User
User ID
ID
User
User ID
ID
User
User ID
ID User
User ID
ID
 Exponential increase in privileged  Risk of losing individual

User IDs accountability
 Increased risk of mismanagement  Issues with password management

of privileged User IDs and security
 Increased User ID administration  Out of step with regulatory thinking

costs
Requires solution to provide control, automation and accountability

of privileged account access
Enterprise Single Sign-On
62 © 2012
2013 IBM Corporation
Access Management Access to sensitive data
EMR
PACS Complex passwords

Imaging
HR Web
Impossible to remember
Mainframe
SAP
Need much quicker access
Lotus Notes
Java
Cloud
Users logging on to the same shared Windows account without

logging off applications! policy/regulation violations!

Access Management challenges
SECURITY COMPLIANCE
Virtual desktops and Do you know which

applications accessed nurse accessed
ubiquitously are which critical patient
protected by weak, records from her
shared passwords virtual desktop?
COSTS PRODUCTIVITY
Help-desk calls due Desktop and

to forgotten application lockouts,
passwords can be slow access to
expensive applications hamper
productivity

What if …
. . . users only needed to remember 1 password?
 1 password to sign-on to Windows, Windows applications, Web

applications, Java, Telnet, in-house developed and mainframe
applications, . . .
• With no need to modify applications
• Without modifying the directory used (Active Directory, etc.)
• With automatic renewal for expired passwords
• With Self-service if password is forgotten (no Help Desk call)
• And with quick deployment and incremental ROI (that just got quicker!)
In fact, what if we simplified user access with single password access, while
strengthening security, saving costs and improving your compliance
posture?

IBM Security Access Manager for Single Sign-On

(ISAM ESSO) - Access Management solution
STRENGTHEN SECURITY DEMONSTRATE COMPLIANCE
Strong passwords Fine-gained audit logs

Strong Authentication Session Management
REDUCE COSTS INCREASE PRODUCTIVITY
Fewer helpdesk calls No Account Lockouts

Save up to $25 per call! Fast access to information

ISAM ESSO - Overview
 Single sign-on
 Supports strong authentication
 Kiosk sharing
 Password self service
 Web-based administration
 Browser-based remote access
 User access tracking & audit
 No change to the infrastructure
TAM E-SSO enables visibility into user activity, control over access to business
assets, and automation of the sign-on process in order to drive value for our
clients.

ISAM ESSO - Architecture

ISAM ESSO – Access Studio

Profiling templates for applications
– Windows
– Java
– Terminal
– Mainfrafe (cursor-based,
HLLAPI)
Wizard
– Sign On
– Sign Off
– Password Change
Advanced profiles
Ability to test profiles
Simple and quick implementation
Automatic profiles for:
– Windows Explorer, Internet
Explorer
– Web based applications
– GINA, RDP

ISAM ESSO – Audit and Tracking
End user activity tracking

Configuration change
Corporation application access
tracking
Own events tracking
Sample audit data
– Sign On/Sign Off
– Password Change
– 2FA
– Offline access
Integration with external reporting
tools

ISAM ESSO – 2FA

ACTIVE
RFID
Support for:
– Passive RFID (Mifare, HID
iClass)
– Active RFID (Xyloc)
– Tokens (Vasco, Authenex)
– USB Key (DigiSafe,
TOKENS
Charismathics)
– MobileAccessCode
• SMS USB Key
• E-mail
– Sonar
– Biometrics (UPEK, E-MAIL
DigitalPersona)
Support for : SMS
– Sign On to system SONAR

– Sign On to application
– Sign Off
BIOMETRIC

ISAM ESSO – ISIM Integration
Logins and passwords generated by ISIM

are pushed to SAMESSO End User
Wallet automaticaly updated during
password change
Blocking wallet for End User from ISIM
interface
Support for ISIM 4.6, 5.0, 5.1, 5.2

ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials
to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security
measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach,
© 2013NOT
80 which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES IBM Corporation
WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

IBM Security Intelligence Platform Franc Červan

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

IBM Security Intelligence Platform Franc Červan

Încărcat de

Drepturi de autor:

Formate disponibile

IBM Security Systems

IBM Security Intelligence Platform with

Franc Červan (franc.cervan@si.ibm.com)

Nobody is immune. There is no end in sight.

2011 Sampling of Security Incidents by Attack Type, Time and Impact

Source: IBM X-Force® Research 2011 Trend and Risk Report

5 © 2013 IBM Corporation

Consolidating data silos

Detecting insider fraud

Addressing regulation mandates

7 © 2013 IBM Corporation

Solving Customer Challenges

Major • Discovered 500 hosts with “Here You

Fortune 5 • 2 Billion logs and events per day reduced

Branded • Trusted insider stealing and destroying

$100B • Automating the policy monitoring and

• Real-time extensive monitoring of

8 © 2013 IBM Corporation

QRadar Security Intelligence Platform

Solutions for the Full Compliance and Security Intelligence Timeline

Are we configured What is

Prediction & Prevention Reaction & Remediation

11 © 2013 IBM Corporation

Fully Integrated Security Intelligence

• Turn-key log management and reporting

• Log, flow, vulnerability & identity correlation

Configuration • Network security configuration monitoring

Network and • Layer 7 application monitoring

13 © 2013 IBM Corporation

Fully Integrated Security Intelligence

• Turn-key log management and reporting

• Log, flow, vulnerability & identity correlation

Configuration • Network security configuration monitoring

Network and • Layer 7 application monitoring

14 © 2013 IBM Corporation

Security Intelligence: QRadar provides in-depth security visibility

Identity and Inbound

Qradar: Clear, concise and comprehensive delivery of relevant info

What was the

Are any of them

Where is all the

16 © 2013 IBM Corporation

Major • Discovered 500 hosts with “Here You

Fortune 5 • 2 Billion logs and events per day reduced

QRadar judges “magnitude” of offenses:

Branded • Trusted insider stealing and destroying

Potential Data Loss

Threat detection in the post-perimeter world

$100B • Automating the policy monitoring and

Which assets are affected?

What are the details?

How do I remediate the

Pre-exploit Security Intelligence

• Real-time extensive monitoring of

Security intelligence at work: SIEM in action

Servers & Mainframes

Network & Virtual Activity

Vulnerability & Threat

2 Bn security records per day 25 security offenses per day

• Reliable, secure and scalable log data storage

22 © 2013 IBM Corporation

Threat Protection & QRadar improve your visibility and prevention

 Networks Attacks, audits, status events

Vulnerability & Threat