IBM Security Intelligence Actualizacion para BP PDF
IBM Security Intelligence Actualizacion para BP PDF
IBM Security Intelligence Actualizacion para BP PDF
Actualización
IBM #QRADAR
10 Julio 2017
Agenda
1. Sección General:
a. Posicionamiento
b. Portfolio – Qué vendemos?
c. Colaboración para combatir (App Exchange, App Framework-SDK, AppNode)
d. Algunas novedades core (Nuevos appliances core, Licenciamiento)
e. Novedades destacadas en cuanto a releases
2 IBM Security
General Section
Today’s security drivers
ADVANCED
COMPLIANCE SKILLS GAP
ATTACKS
HUMAN
INNOVATION
ERROR
4 IBM Security
Why a security immune system…and why now?
Our clients say they need a better approach than a fragmented, disconnected,
inefficient collection of point products
Threat sharing Virtual patching
Network visibility Indicators of compromise
Incident response
Sandboxing
Application security
Content security Access management management
IP reputation Firewalls
Log, flow, data, Antivirus
user-behavior Criminal
Incident forensics and analysis detection Data access control Entitlements and
threat management roles
Privileged identity
Fraud management Endpoint patching
Malware protection
protection and management
Transaction
Vulnerability protection
Workload
protection management
Application scanning
Identity management
Device management Anomaly Data monitoring
Cloud access
detection security broker
5 IBM Security
It’s time to take a more holistic view of your security portfolio
85
security products from more than
40
vendors—a costly approach
6 IBM Security
IBM helps protect against new and complex security challenges
7 IBM Security
Upgrade your defenses with a coordinated platform to outthink threats
PREDICT
RESPOND
8 IBM Security
Security Operations and Response
Indicators of compromise
App Exchange X-Force Exchange
IP reputation
Threat sharing
INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
AppScan Cloud Identity Service
zSecure
Cloud Security
9 IBM Security
QRadar Product Portfolio
IBM XForce Exchange
Logs
QRadar Log Manager
(without correlation)
Flows
QRadar SIEM
(Security
Ofenses
Vulnerabilities
Intelligence and
Sense Analytics)
10 IBM Security
IBM QRadar: Continued investment based on client needs
Incident
Response
on client needs
Security
Intelligence Build and
Network execute an
on Cloud
automated
Forensics
Flexible solution incident
Vulnerability
Incident that can deploy as response
and Risk forensics either a true SaaS plans
Log
Needs
2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2013 2014 2015 2016
11 IBM Security
Analyst recognition
§ “By integrating the UBA App with QRadar, and making it easy to
deploy via the Security App Exchange, IBM has established a strong
differentiator in the increasingly crucial field of security analytics.”
TBRI
12 IBM Security
Collaboration to combat the
criminals
§ Application Exchange
§ QRadar Application Framework - SDK
§ Application Node
Criminals are organized and collaborate on a global scale
14 IBM Security
IBM Security Application Exchange
INNOVATION
New agile capabilities
from partners, IBM,
Security research and
other vendors
DIFFERENTIATION
Enables service provider
and business partner
value add and
differentiation
15 IBM Security
Where to find the IBM Security Application Exchange
1 https://exchange.xforce.ibmcloud.com/hub
Enables rapid
innovation and
Open APIs for rapid innovation and creation creation
Secure Container
- Dedicated Memory Allocation and Defined CPU Resources
- Docker ensures GUI App code in one container cannot affect code in another container
- Docker ensures GUI App code cannot interfere or interact directly with QRadar
§ The main web language used to author an application is Python, and the Flask Micro
Framework is integrated and available for use by the application.
*However, applications are free to include other additional packages and runtimes as required.
https://www.python.org/
https://flask.pocoo.org/
*Demo - https://youtu.be/_A5ogClea8g
18 IBM Security
QRadar App Development Center
What is it? Information available:
§ The QRadar App Developer Center is a § Download the SDK
landing site for anything app development
related. This is a free site and open to any § Learn about what’s new
users. An IBM ID is required to download § Read documentation
the SDK from the IBM Security App
Exchange. § Blogs from developers
§ https://developer.ibm.com/qradar § Talk with developers on our forum
§ App troubleshooting information
§ Learn about submitting apps
(partners only at this time)
§ Business Partner information
19 IBM Security
IBM Security App Exchange: External Validation Process
ü Log into IBM Security App ü App reviewed by IBM QRadar to ü App posted in IBM Security App
Exchange Technical Community ensure solution is free of security Exchange
with your IBM ID. exposures and performance
inhibitors.
ü Submit the Validation Document, ü App posted IBM PartnerWorld
and required documentation. ü Feedback Ready for Security Intelligence
Catalog
ü Package is reviewed by ü Approval
PartnerWorld Validation Lab.
ü BP is issued IBM Ready for
ü Feedback, Approval and access Security Intelligence Mark
to QRadar DeveloperWorks is
granted.
1 1 1
week week week
Certification Timeline
20 IBM Security
IBM QRadar Application Editor (2Q 2017)
APP DEVELOPMENT
TOOL
- Real time QRadar App editing
and creating
- CSS/HTML made easier
- Create or Edit Apps easily
- Simplifies Installs & Upgrades
- Quicker results for App
Developers
- Manifest validation
- Work on multiple apps
versions
- Speeds up App Development
- Integration with Github (*)
https://exchange.xforce.ibmcloud.com/hub/extension/5d0f3f37cc5c4d16ccafe9d40d8dffe5
21 IBM Security
Inter-App Communications (Named Services)
In 7.3, we have also expanded the application
framework to allow applications to talk to each
other.
22 IBM Security
QRadar Application Node (Q1 2017 – 7.3)
• Prior to 7.3, all QRadar Applications have been installed
and run on the QRadar Console. This means for each
QRadar Application that is downloaded and installed, a Apps
small portion of the consoles resources (RAM, CPU and
Storage) is used up and not available for normal console
operation.
• It’s like a Data Node but for Apps !
With the QRadar App Node, all applications are now
offloaded to a new host, releaving the console from the
processing load. This also permits applications with
significant resources requirements access to those
resources (UBA, Spark, etc)
• A scalable application platform
• Plans to support Spark & Hadoop
• Ease of deployment: on prem or cloud
App Nodes can reside on premise on traditional
appliance type form factors or within a virtualized
infrastructure. The only requirement for an App Node is
that it be running RHEL 7 or CentOS 7 at the time it is
added to QRadar.
23 IBM Security
Requires an integrated ‘Above SIEM’ solution set for the SOC
SIEM LAYER
Event Correlation IBM QRadar Security Intelligence
and Log Management
24 IBM Security
Highlight news on Core
26 IBM Security
New Core Applications
We also have two new appliance form factors that have been released within the last few months.
The QRadar xx29, which is the generational update of our xx28 and provides an excellent platform for all host
types for our clients with medium to large scale deployments.
The QRadar xx48 is the newest addition to the appliance family and is targeted at enterprise clients with very
high performance requirements around data searching and analysis. The xx48 also comes with an 80K EPS
certification for event collection which makes it an excellent choice for clients looking to consolidate their
existing deployments or even for Telco type clients with onerous collection needs.
xx48 xx29
- For large system consoles (6+ processors) - For medium to large systems
and high throughput processors (80k + - 40k EPS
EPS) - 60TB of Disk, 128 Gb Ram
- 18TB of SSD, 128 Gb Ram - 20 cores
- 28 cores
QRadar SIEM Appliances (XX48, XX29, XX05) are intended for use as All-in-Ones, Consoles, Event Processors, Flow
Processors, and Data Nodes.
27 IBM Security
Releases: News to highlight
§ Compresión
§ Mejoras en interfaz gráfica
§ Layouts
§ AQL
§ DSM Editor
§ Usuarios
§ Multitenancy
§ Alta disponibilidad
§ LVM
§ Activation Key
Introducing the Tenant Abstraction
The Tenant abstraction is meant to provide a higher level representation of an occupant (MSSP: Tenant = customer)
29 IBM Security
Resources Restrictions – Search Controls
30 IBM Security
Domain Aware Reference Sets
In 7.2.8 we have started to extended our multi-tenancy support into our reference data
collections. In this first phase, domain associations are added to reference sets. With this
model, each reference set can contain items or lists of items that are associated with a
particular domain and not accessible by another other domain in the system.
This enables MSSPs, or any
organization that uses the Domain
capabilities of QRadar, to provide
interdependent collections of data to
each.
Now, independent threat feeds or
business context data, like identity
information, can be introduced on a per
tenant basis, without the risk of exposing
that data to other users.
31 IBM Security
Reference Data Containers and Tenant Awareness
32 IBM Security
Tenant support for custom properties
33 IBM Security
A few other items…
34 IBM Security
The Offering: SIEM Capabilities of QRadar Delivered as a Service
• Simple management screens allow for easy configuration and validation prior to being put
into production.
37 IBM Security
Data Obfuscation – 3 Easy Steps…
38 IBM Security
Search Performance – Super Indices
39 IBM Security
Continuous improvement in search speed and functionality
Finding the threats, quickly…
•All new QRadar installations as of 7.2.7 and forward utilize our new, highly efficient
compression mechanism for all stored data.
41 IBM Security
Lazy Search
• Lazy Search is a new Quick Search capability introduced in QRadar 7.2.7 that is optimized for
more tactical use cases such as the threat hunting or IOC searching.
- Retrieves the first (up to) 1000 results matching the filter criteria and returns those immediately to the user along
with a time series graph showing the distribution of the results over the search timeframe.
- Reduces impact on the deployment by restricting the search to just the indices and not the events/flows
themselves. Reduces impact on the network by only return a subset of the results until the analyst make the
decision that the entire result is necessary.
•Our SOC manager turns to his most experienced analyst and relays the MD5 for which he needs a
report…. ASAP! Realizing this is a fire drill, our analyst understands that what is being asked is “have
we seen this” so the organization can take appropriate action. Flipping to Quick Search and dropping in
the provided MD5 and within seconds the analyst has not only the (unfortunate) answer of “Yes”, but
also has a distribution over time that shows when the outbreak started.
42 IBM Security
Processing Performance Improvements
•A number of general performance improvements across various aspects of the platform are also
included in 7.2.7
- Hardware Optimization
• QRadar auto tunes to the hardware platform and doesn’t simply match platform to our xx05 or xx28 profile.
• QRadar can now leverage hardware even larger than our own xx28 platform
43 IBM Security
Processing Performance Improvements
•A number of performance improvements across various parts of the platform are also
included in 7.2.8!
- Assets & Vulnerabilities
• xx28 console now supports 1M assets out of the box with possible expansion to 3M with tuning (constrain – low number
of vulnerabilities). Previously the maximum was 700K assets
• Supported asset limit does not depend on HA anymore. Prior to 7.2.8 there was a 50% reduction in the number of
assets that could be supported when deployed in HA
• Assets UI query performance is up to 35 times faster. Large dataset UI wait time went from minutes to <10 seconds.
• Manage Vulnerabilities UI query performance is ~2 times faster
- Event/Flow Processing
• Updates to make our usage of the underlying platform more efficient
• Improvements in burst handling, significantly increasing the amount of data we can flood to disk
- Storage efficiency
• ~5% less disk space per event required
- Infrastructure
• Reference data – Efficiency improvements
44 IBM Security
“Drop” Events before license
• 7.2.6 introduces a license credit for data that is dropped using routing rules. Effectively, users
can drop some portion of data that they deems to have little or no value, with these events
having a lower usage impact on their EPS license. Data dropped in this fashion will be credited
back at 60% to a maximum of 2K EPS
• Additionally, with this enhancement we have also added in a 100% credit back for all system
events (system, audit, etc)
• The “credit” is applied on a per second interval meaning that any credit computed over a 1
second interval will be applied during the next second.
- For example, on a system licensed to 10000EPS, if 50EPS of system traffic is collected over 1 second will
result in an overall license rate of 10050EPS the next second
- But on that same system, if there is 1000EPS of traffic being dropped because of a routing rule then the overall
license rate for the next second will be 10600EPS
- However, if there is 4000EPS of traffic being dropped due to routing then the EPS credit will top off at 2000EPS
(60% of 4000 = 2400 which is > 2000) resulting in an effective rate license of 12000EPS the next second
45 IBM Security
Per Log Source EPS Reporting
• Log Source EPS Reporting lists the average EPS for each log source on both the Log
Source screen as well as in our Log Source reports, allowing users/administrators to
quickly identify “noisy” or “expensive” log sources as well as highlight potential
configuration issues with log sources that are failing to report
46 IBM Security
Say Goodbye to many complex steps with our new DSM Editor
47 IBM Security
AQL Enhancements
48 IBM Security
AQL Enhancements – Conditional Logic
• Two forms of conditional logic grammar have been added to AQL in 7.2.7, IF/THEN/ELSE
and CASE
- The first form, IF/THEN/ELSE, allows users to perform simple conditional evaluation based on the
condition contained within the IF.
• Example: User wants to query the user associated with all events but realizes that the events may
not contain the necessary user information so they decide to leverage the Asset database to fill in
the gaps if possible.
- The second form, CASE, allows users to perform similar logic to IF/THAN/ELSE except with more
conditional comparisons.
• Example: User may want to expand the response code from a set of BlueCoat Proxy Logs
• select case “BCReponseCode” when 200 then ‘OK’ when 404 then ‘Not Found’ when 401
then ‘Not Authorized’ else ‘N/A’ end from events where
LOGSOURCETYPENAME(devicetype) ilike ‘%bluecoat%’ last 2 days
49 IBM Security
AQL Enhancements – Sub Select (Nested Queries)
•7.2.8 introduces the concept of sub-select or “nested queries”. With his technique of building queries, the user to breaks up more complex concepts into pieces
and then combine these simple fragments into larger queries.
Step 1: Locate all potential Patient 0 hosts within the Patient 0 C&C Servers
Potential
1
organizations network Infection
50 IBM Security
AQL Support for Bitwise Operators
51 IBM Security
Inter-App Communications (Named Services)
•In 7.3, we have also expanded the
application framework to allow
applications to talk to each other.
52 IBM Security
Otras Novedades
53 IBM Security
Section:
Available Products to highlight
IBM #QRADAR
insider data
breaches
perpetrators take data
and go work for competitors 1M anticipated shortfall by 2020
56 IBM Security
Design principles for IBM QRadar UBA
• Streamline investigation
of offences
57 IBM Security
QRadar User Behavior Analytics
STREAMLINED INCIDENT
INVESTIGATIONS
Immediate insights into risky user
behaviors, action and activity history
58 IBM Security
SOC analysts need help sensing behavioral deviations over time
• More data being transferred then a normal Large Window Small Window
to and from servers and / or external locations
59 IBM Security
User Behavior Analysis (UBA)
Frequency of
UBA Scenarios privilege
revocation rates
Increase in
Cloud server connection data transferred
to file sharing
User connects to a cloud server User login User is an
outlier within
or a personal account on Box time / space
their peer group
disagreements
and tries to upload a sensitive file First time
access of high-
value systems
First time
Using rarely network access
used privileges or first-time
Access high-value assets Usage of an account usage User
account accessing more
User starts accessing and downloading changes data from high-
high-value assets with increased Communicating
significantly Users value systems
over time accessing than normal Account usage
frequency with malicious
infrastructure at unusual
sources on the
from an unusual times
Entitlement internet
location
anomaly or
user role
Usage changes over time change Higher than User HR risk
normal high- score or
User activity deviates from normal value assets or flight risk
server access
over a short period of time or a gradual Excessive,
Change in
change over an extended period of time account suspicious http
privileges activity
60 IBM Security
Compromised credentials or malware detection
Access
frequency of
an account
UBA Scenarios Usage
frequency of
an account Usage of a
Assess frequency of assets Login
canceled,
suspended or
User’s volume of activity suddenly failures blocked user
Abnormal
privilege
spikes or access to number of assets change in
account
increases rapidly usage /
Access VPN
Using rarely account from behavior
used unusual
privileges location or
times Account
Excessive, usage
Usage deviates from peer group suspicious
http activity
deviating from
Users peer groups
Internet
User pattern of activity starts communication
Accessing Account
infrastructure usage at
deviating from the peer group with malicious from unusual unusual times
Dormant sources
account location
accessing
important Logins
assets Higher than from multiple
normal high- devices,
Change in account privileges value assets or multiple
server access places
Accessing
User attempts to change privileges on Change in
from a jump
account
existing account or open new accounts privileges or a Tor
server
on other systems Detect
unmanaged
accounts
61 IBM Security
Monitor intellectual property
Application
UBA Scenarios misuse by
invalid
sequence of Application
Application misuse by actions Anomaly in misuse –
activity in an HTTP
sequence of actions application request
Anomaly in
User performs a sequence of actions accessing
which no other user is performing Dormant Abnormal applications
account asset
accessing access from
important a specific
assets Application device Application
Sensitive data leakage misuse – misuse –
session sequence
User manipulates http request / replaced Remote mining Device is
access hole used in a
response parameter to download in corporate recent
sensitive data firewall offense
Application
misuse – Exfiltration
Application misuse by response of data
parameters
malware or bots Large data Monitor high
movements value assets
A bot or malware attacks an application
or access sensitive data Device type
change
62 IBM Security
Increase Analysts’ productivity Interface to
quickly add
new data,
log sources
UBA Scenarios Add users to
various
watch lists
Multiple
Dynamic adjustment of risk watch lists
Ability to
Customize
scores by specific dashboard
criteria Add notes
Dynamically adjust the risk score of and alerts by
rules when triggered against particular Activate user or
groups
user or users Peer group rules for a
profiles and specified
trends period or
Integrate UI to quickly
Activate rules for a specific UBA panels condition create rules
in QRadar for custom
condition or time dashboard
Adjust user
use cases
Modify risk
score rating of
Activate a rules for a set of users until a manually or user based
override on specific
specified condition or specified time system condition
window
What-if
Dynamic simulation of
adjustment policy
Integrate UBA panels into to risk score changes or
Auto of users
QRadar dashboard discovery Guidance to actions
and optimize,
Monitor desired elements of users’ Auto classification reduce risks
behaviors, risks and trends from a discovery of Assets
single screen and
classification
of Users
63 IBM Security
IBM QRadar UBA 2.0
§ Machine Learning algorithms § Flow based use cases that leverage QNI
64 IBM Security
IBM QRadar UBA: Detecting anomalous deviations
65 IBM Security
IBM QRadar UBA: Machine Learning algorithms
“Deviations
from normal
behavior”
66 IBM Security
Integrated view helps you see before you can stop insider threats
SECURITY OPERATIONS
AND RESPONSE
INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
AppScan Cloud Identity Service
zSecure
Cloud Security
67 IBM Security
Example - Extending UBA with Flow data
68 IBM Security
Example - Extending QVM/QRM with UBA data
69 IBM Security
Integrated workflow to act on insider threats User behavior analysis
QRadar Analytics Platform
Resilient Incident Response Platform
Security devices
Data activity
Application activity
Sense AnalyticsTM
Configuration information
70 IBM Security
Advantages of an integrated UBA app
71 IBM Security
SOC analysts gain speed from user behavior analytics
…in the hunt to reduce risks and eliminate threats
72 IBM Security
UBA 2.0 with Machine Learning - https://www.youtube.com/watch?v=RgF1RztR1yg
(Old) UBA 1.1 - https://www.youtube.com/watch?v=1udzWWvBhMI&list=PLHh9jhztlMyokc0Snr9orpkNt4RTwd60T
73 IBM Security
User Behaviour Analytics 2.0 with Machine Learning
74 IBM Security
QRadar Network Insight
http://w3.tap.ibm.com/medialibrary/media_view?id=404767
Taking flow analysis to the next level
Incident Detection
QRadar Network Insights will also let you know if suspect items or
topics of interest were discussed at anytime during the conversation
QFlow provides all the benefits of network flows but will also recognize layer 7
applications and allows you to capture the beginning of the conversation
76 IBM Security
Flow options
Network flow from QFlow Collector XGS appliance QRadar Network
routers/ software Insights appliance
switches
Includes basic network traffic info Yes Yes Yes Yes
Deployment modes TAP / SPAN port TAP / SPAN port TAP / SPAN port TAP / SPAN port
or in-line
Speed Varies Depends on 400 Mbps – 3.5 Gbps–10 Gbps
underlying hardware 25 Gbps per appliance;
used stackable
77 IBM Security
Providing complete coverage and threat detection
Root Cause
Analysis
QRadar
QRadar
QRadar Network
Network Packet
Insights Capture
Network Tap
78 IBM Security
Metadata extraction and threat hunting with
QRadar Network Insights
79 IBM Security
Bringing visibility to today’s cyber security challenges
80 IBM Security
QRadar QNI – Leaving nowhere to hide
ADVANCED
ENRICHED Answering the important questions
BASIC
• Who is talking to who ?
• What files and data are being
exchanged ?
• Do they look malicious ?
• Do they contain any important or
sensitive data ?
• Is this malicious application use ?
• Is this new threat on my network ?
• If so, it where is it and what did it
do ?
81 IBM Security
High Value Threat Detection and Compliance Use Cases
82 IBM Security
Threat Hunting by leveraging STIX-TAXII
83 IBM Security
Feed QRadar User Behaviour Analytics with network data
84 IBM Security
Phishing and Spam
ADVANCED
- SANS Institute
Hunting
Embedded
E-mail for others Email field
scripts in
subject lines who received analysis
attachments
Detect phishing e-mails before the e-mail
85
85 IBM Security
86 IBM Security
87 IBM Security
Malware detection
ADVANCED
Malware is pervasive ENRICHED
- lookingglasscyber.com
File hash
DNS Embedded Suspect
threat
system script content
intelligence
abuse detection detection
No file goes unnoticed correlation
88 IBM Security
89 IBM Security
Data exfiltration
ADVANCED
90 IBM Security
91 IBM Security
92 IBM Security
Find Insider Threats
ADVANCED
Exposure to Insider Risk ENRICHED
“55% of all attacks were carried out by Who is Anomalous E-mail BASIC
talking to DNS subject
malicious insiders or inadvertent inside whom queries lines
actors.”
- IBM 2015 Cyber Security Intelligence Index Interaction Abormal
Internet
with crown jewel PI data
bound
malicious comms amd detection
data
sources transfer
“Insider risk can be more than a threat to IT
systems or data loss – it can result in physical
harm or sabotage.” Email Web Site
content content
- Carnegie Mellon SEI
93 IBM Security
94 IBM Security
Zero-day threat detection
ADVANCED
Rate of new Zero-Day ENRICHED
threats are increasing HTTP BASIC
IP
“Zero-Day Discoveries A Once-A-Week headers Reputation
Habit”
- Dark Reading
New Application DNS Beaconing
Connections
95 IBM Security
96 IBM Security
1920 & 1901 Performance summary and deployment guidance
QNI provides deeper analysis of network data to extend QRadar’s detection capabilities
Appliance form factor architected to maximize performance and minimize costs for QRadar Network Insights
deployments
• Hardware configuration optimized to reduce costs and facilitate in-memory processing
• 10G connectivity with 4 ports available
• Configurable flow forwarding capability enables load-balancing across multiple appliances (1920)
97 IBM Security
Capability summary
• Unparalleled real time visibility covering blind • Seamless integration across the QRadar
spots and complexities in log data and platform:
revealing previously hidden threats, and ̶ Extends QRadar flow capabilities
malicious behaviors ̶ QNI analysis fuels QRadar capabilities,
content and Apps
• Enables far greater and easier attack visibility ̶ Derives sense events for User Behavior
from malware infiltration, lateral movement and Analytics for improved insider risk
data exfiltration within an organization assessments
• Tightly integrated with QRadar Incident • Scalable to meet any analytics demands
Forensics for post incident investigations and
threat hunting activities
98 IBM Security
Resilient
IR challenges: what we hear most often
• Skills shortage
• Confusing regulatory
landscape
PRODUCTS
App MANUALLY
Forensics
Logs INVOKED
REMEDIATION
F/W
Logs Identity Management
:
: RESILIENT’S INCIDENT
DHCP
Logs RESPONSE PLATFORM
Malware Vulnerability
MANUALLY Management
INVOKED AUTOMATIC
ENRICHMENT ENRICHMENT
Web Gateway
Passive DNS
Demo
109 IBM Security
QRadar Advisor with Watson
BRINGING THE POWER OF COGNITIVE SECURITY TO THE SECURITY ANALYST
There is a massive amount of noise out
there; the human brain can’t process
everything on a day-to-day basis. We need
something to help, something like AI or
cognitive technologies.
Chad Holmes – Principal and Cyber-Strategy, Technology and Growth
Leader (CTO) at Ernst & Young LLP
50
to ignore % or more security alerts because
they can’t keep up with volume
Examples include:
• Research documents • Conference presentations • News sources
• Industry publications • Analyst reports • Newsletters
• Forensic information • Webpages • Tweets
• Threat intelligence • Wikis
commentary • Blogs
Review the data Get the name of Take these newly found
IOCs from the internet
(events / flows that the Malware
and search from them
made up that back in a SIEM
incident) Pivot the data multiple ways
to find outliers (such
as
Find other internal IPs are
Expand your search to capture unusual domains, potentially infected with the
more data around that incident same Malware.
IPs, file access)
Machine Learning /
Natural Language Processing
Extracts and Annotates Collected Data
Gain local context leading Gather the threat research, Apply the intelligence and
to the incident develop expertise investigate the incident
• Review the incident data • Search for these outliers / indicators • Investigate gathered IOC locally
using X-Force Exchange + Google +
• Review the outlying events for anything • Find other internal IPs are potentially
Virus Total + your favorite tools
interesting (e.g., domains, MD5s, etc.) infected with the same Malware
• Discover new malware is at play
• Pivot on the data to find outliers • Qualify the incident based on insights
(e.g., unusual domains, IPs, file access) • Get the name of the malware gathered from threat research
• Expand your search to capture more data • Gather IOC (indicators of compromise) • Start another investigation around each
around that incident from additional web searches of these IPs
Time
consuming
There’s got to be
threat
analysis
an easier way!
1. Offenses
Equivalency
relationships
QRadar
Offense
Correlated enterprise data context
2. Gains local context 3. Observables
and forms threat
research strategy
• QRadar Watson Advisor • Only external URLs, • Observables are sent via an
references the Network domains, IPs, ports and asn encrypted channel to
Hierarchy defined in QRadar values are sent to Watson Watson for Cyber Security
for Cyber Security
• QRadar Administrator can • Watson for Cyber Security
control which types of • After an investigation, all isolates each customer’s
observables are sent in the observables sent to Watson offense investigation
QRadar Watson Advisor for Cyber Security are
administration page destroyed, and the results of • Watson for Cyber Security
the investigation are also not can only be accessed by
• QRadar Administrator can persisted in the cloud authorized QRadar Watson
select which custom Advisor apps
properties are mapped to • Watson for Cyber Security
observable types does not track the IPs or the
specific instance of QRadar
Watson Advisor submitting
the investigation requests to
preserve anonymity
File Hash Hash value of a file that is deemed Yes Destination Name of the destination country of outbound No
suspicious Country communications
URL External URLs that appear in an offense Yes Source Name of source country of inbound No
Country communications
Domain External Domains that appear in an Yes
offense Low Level Low level QRadar offense category No
Category
Destination Destination Ports belonging to Destination No
Port IPs High Level High level QRadar offense category No
Category
User Agent The user agent identified by a browser or No
HTTP application Direction Direction of communication No
AV Malware signatures identified by antivirus No User name Aliases that may attempt to access critical No
Signature solutions internal infrastructure
Patch
Actions BigFix
• Threat Actor Vulnerabilities
• Campaigns
• Domains
• IPs QRadar Cyber
Actions i2
• Hash Investigations
• Emails
• Filenames
• Vulnerabilities
Alter User
Actions IAM
Entitlements
Actions …. …
https://exchange.xforce.ibmcloud.com/hub/exten
sion/d35eae95160f59d79ca71683e2c72448
We build statistical models of behavior for each By monitoring user activity we can identify abstract roles a user have. Each color above
user, and identify times of unusually high represents a different role. Deviation from these abstract roles appear as dips or hills users Role
activity generally or in specific categories of Distribution, allowing analysts to easily identify aberrant behavior that might not necessarily
events. correspond with an increase in activity.
This analytic models the instant user activity starts, with the
expectation that normal user activity will be relatively uniform
across the seconds in a minute and the minutes in an hour. A users peer group can be identified using abstract roles or a defined set of
Unusual activity will manifest as repeated activity at regular roles. We can then leverage the user activity to identify changes in a peer
intervals, indicated as hotspots (darker areas) above. group. This is identified in the dark bands above. Dark red indicates a
preponderance of new peers, dark black missing peers.
Documentación:
https://www.ibm.com/support/knowledgecenter/
Soporte:
Support Escalation Process - https://www-947.ibm.com/support/servicerequest/Home.action
RFE - http://www-01.ibm.com/support/docview.wss?uid=swg21641764
FixCentral - https://www.ibm.com/support/fixcentral
Enablement:
YouTube Channel:
https://www.youtube.com/user/IBMSecuritySupport?nohtml5=False
Jose Bravo - https://www.youtube.com/user/jbravovideos/videos?nohtml5=False
Mike Winkler - https://www.youtube.com/channel/UCHuSAo7fqTIvDziOqac6XYg
Twitter - https://twitter.com/AskIBMSecurity
SecurityIntelligence.com - http://securityintelligence.com/
Enablement:
Self Paced QRadar Virtual Enablement sessions:
Security Intelligence QRadar Understanding and Using Rules - http://ibm.biz/Bdrk7K
Understanding and using QRadar Vulnerability Manager - http://ibm.biz/Bdrk7m
Soporte:
dwAnswer: https://ibm.biz/qradarforums
https://developer.ibm.com/answers/questions/ask/?topics=qradar
QRadar Support KnowledgeBase - http://ibm.biz/qradarknowledge
Technotes relevant to QRadar - http://www-01.ibm.com/support/docview.wss?uid=swg21984857
Demo:
https://www-01.ibm.com/marketing/iwm/iwm/web/reg/directDownload.do?source=partnerworld&FILE=pw/misc/qradar_demo_setup_script.tar
146 IBM Security
THANK YOU
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
SEP03413-USEN-01
SIGUIENTES PASO!!!