dss and security intelligence @ibm_connect_2014_april
DESCRIPTION
DSS participated in this year's "IBM Connect" event organized by regional IBM's VAD - ALSO Baltics. DSS spoke about importance of IT Security in new - digital world that is developing. New technologies bring new business opportunities but as well bring also new security threats and risks that have to be considered in first place.TRANSCRIPT
![Page 1: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/1.jpg)
Quantify value of IT Security for business
with IBM tools
Andris Soroka17th of April, 2014
Riga, Latvia
![Page 2: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/2.jpg)
The Saga Begins – Scared vs. Informed
![Page 3: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/3.jpg)
“Data Security Solutions” business card
Specialization – IT Security
IT Security services (consulting, audit, pen-testing, market analysis, system testing and integration, training and technical support)
Solutions and experience portfolio with more than 20 different technologies – cyber-security global market leaders from more than 10 countries
Trusted services provider for banks, insurance companies, government and private companies (critical infrastructure etc.)
![Page 4: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/4.jpg)
Role of DSS in Cyber-security Development in Baltics
Cyber-Security Awareness Raising
Technology and knowledge transfer
Most Innovative Portfolio
Trusted Advisor to its Customers
![Page 5: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/5.jpg)
Cybersecurity Awareness Raising
Own organized conference “DSS ITSEC”5th annual event this year (30.10.2014)More than 400 visitors + more than 250 online live streaming watchers from LV, EE, LT4 parallel sessions with more than 40 international speakers, including Microsoft, Oracle, Symantec, IBM, Samsung and many more – everything free of charge (EVENT.DSS.LV)
Participation in other events & sponsorshipCERT & ISACA conferences & eventsRIGA COMM, HeadLight, IBM Pulse Las vegasRoadshows and events in Latvia / Lithuania / Estonia (f.i. Vilnius Innovation Forum, Devcon, ITSEC HeadLight, SFK, business associations)
Participation in cyber security discussions, strategy preparations, seminaries, publications etc.
![Page 6: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/6.jpg)
Innovations – technology & knowledge transfer
Innovative Technology Transfer Number of unique projects done with different technology global leadership vendorsKnowledge transfer (own employees, customers – both from private & public, other IT companies in LV, EE, LT) Specialization areas include:
Endpoint SecurityNetwork SecuritySecurity ManagementApplication SecurityMobile SecurityData SecurityCyber-securitySecurity Intelligence
![Page 7: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/7.jpg)
Some just basic ideas
![Page 8: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/8.jpg)
![Page 9: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/9.jpg)
![Page 10: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/10.jpg)
![Page 11: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/11.jpg)
AGENDA (hopefully 60mins..)
Introduction of DSS and speakerPrologue – Digital world & trendsThe Saga begins – Cybercrime
Introduction & typesBusiness behindExamples
Value of Information Security for businessRisk managementTechnology
IBM SIEM, Risk Manager, ForensicsWhat it is and what forArchitectureUse cases
Q&A (if time allows)
![Page 12: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/12.jpg)
Prologue
![Page 13: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/13.jpg)
Prologue: Some new technologies
3D PrintersGoogle Glasses (“glassh**es)Cloud ComputingBig Data & SupercomputersMobile Payment & Virtual MoneyRobotics and Intraday DeliveriesInternet of thingsAugmented RealityExtreme development of ApsDigital prototypingGadgets (devices) & MobilityTechnology replaced jobs (automation)
Geo-location powerBiometricsHealth bands and mHealthElectronic carsAvegant Glymph and much, much more
![Page 14: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/14.jpg)
![Page 15: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/15.jpg)
Prologue: Mobility & Gadgets
Multi-OS
![Page 16: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/16.jpg)
Millions of mobile applications
![Page 17: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/17.jpg)
Digital Agenda for European Union
![Page 18: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/18.jpg)
True or fake? In fact this isn’t funny...
![Page 19: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/19.jpg)
Best «success story» describing hackers..
![Page 20: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/20.jpg)
No changes in that perspective
![Page 21: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/21.jpg)
Disaster in software world - NSA
![Page 22: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/22.jpg)
Disaster in technology world - NSA
Governments write malware and exploits (USA started, others follow..)
Cyber espionageSabotageCyber warsInfecting own citizensSurveillance
Known NSA “partners”Microsoft (incl. Skype)AppleAdobeFacebookGoogleMany, many others
Internet is changing!!!USA thinks that internet is their creation and foreign users should think of USA as their masters…
![Page 23: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/23.jpg)
Many countries are in the game now…
![Page 24: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/24.jpg)
Many countries are in the game now…
![Page 25: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/25.jpg)
Many countries are in the game now…
![Page 26: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/26.jpg)
Cyberwars going on!
![Page 27: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/27.jpg)
Cybercriminal type #1
“2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1
![Page 28: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/28.jpg)
Cybercriminal type #2 – Monetary driven
![Page 29: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/29.jpg)
Types of cybercriminals (cont.)
![Page 30: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/30.jpg)
Black market figures
![Page 31: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/31.jpg)
Hacking business services...
Current prices on the Russian underground market:Hacking corporate mailbox: $500Winlocker ransomware: $10-$20Unintelligent exploit bundle: $25Intelligent exploit bundle: $10-$3,000Basic crypter (for inserting rogue code into benign file): $10-$30SOCKS bot (to get around firewalls): $100Hiring a DDoS attack: $30-$70 / day, $1,200 / monthBotnet: $200 for 2,000 botsDDoS Botnet: $700ZeuS source code: $200-$250Windows rootkit (for installing malicious drivers): $292Hacking Facebook or Twitter account: $130Hacking Gmail account: $162Email spam: $10 per one million emailsEmail scam (using customer database): $50-$500 per one million emails
![Page 32: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/32.jpg)
Examples: Advanced Persistent Threat
![Page 33: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/33.jpg)
Mobility & Security...
![Page 34: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/34.jpg)
The Sage Continues: Cybercriminals #2
![Page 35: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/35.jpg)
Weakest link is always the most important
Source: IBM X-Force annual report 2013
![Page 36: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/36.jpg)
Some examples of incidents (DDoS)
![Page 37: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/37.jpg)
Mobility & Security
“2014.gadā vidēji katram izglītotam darbiniekam būs vidēji 3.3 mobīlās ierīces, salīdzinot ar vidējo statistiku ar 2.8 mobīlajām ierīcēm 2013.gadā.” 1
![Page 38: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/38.jpg)
Examples: Hackers searching tool
![Page 39: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/39.jpg)
Examples: Hackers searching tool
![Page 40: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/40.jpg)
Examples (continued)
![Page 41: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/41.jpg)
Examples: Hacker is watching / listening
![Page 42: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/42.jpg)
Cybercriminal type #3 – Insider
![Page 43: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/43.jpg)
Bright future of the internet way ahead..
1995 – 20051st Decade of the
Commercial Internet
2005 – 20152nd Decade of the
Commercial InternetMotive
Script-kiddies or hackers
Insiders
Organized crime
Competitors, hacktivists
National Security Infrastructure Attack
EspionagePolitical Activism
Monetary Gain
Revenge
Curiosity
![Page 44: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/44.jpg)
Global statistics
![Page 45: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/45.jpg)
Conclusion: The Saga will continue anyway
For many companies security is like salt, people just sprinkle it on top.
![Page 46: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/46.jpg)
Think security first & Where are You here?
Organizations Need an Intelligent View of Their Security Posture
Security
Intelligence
Proficient
Proactive
Auto
mat
edM
anu
al
Reactive
Proficient
Basic
Optimized Optimized
Organizations use predictive and automated security analytics to drive toward security intelligence
ProficientSecurity is layered into the IT fabric and business operations
BasicOrganizations
employ perimeter protection, which
regulates access and feeds manual reporting
![Page 47: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/47.jpg)
“DSS” is here for You! Just ask for…
Si vis pacem, para bellum. (Lat.)
![Page 48: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/48.jpg)
IBM Security Intelligence
SuspectedIncidents
Prioritized Incidents
Embedded intelligence offers automated offense identification
Servers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Extensive Data Sources
AutomatedOffenseIdentification
• Massive data reduction
• Automated data collection, asset discovery and profiling
• Automated, real-time, and integrated analytics
• Activity baselining and anomaly detection
• Out-of-the box rules and templates
Embedded Intelligence
![Page 49: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/49.jpg)
Security Intelligence = SIEM+RM+…+….
IBM QRadarSecurity Intelligence
Platform
Packets
Vulnerabilities
Configurations
Flows
Events
LogsBig data consolidation of
all available security information
Traditional SIEM6 products from 6 vendors are needed
IBM SecurityIntelligence and Analytics
![Page 50: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/50.jpg)
Single web-based console provides superior visibility
LogManagement
Security Intelligence
Network Activity Monitoring
RiskManagement
Vulnerability Management
Network Forensics
Security Intelligence = SIEM+RM+…+….
![Page 51: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/51.jpg)
QRadar Forensics – new one
Scale
• Event Processors• Network Activity Processors• High Availability & Disaster
Recovery• Stackable Expansion
Network and Application
Visibility
• Layer 7 application monitoring• Content capture for deep insight &
forensics• Physical and virtual environments
• Log, flow, vulnerability & identity correlation• Sophisticated asset profiling• Offense management and workflow
SIEM
Network Activity & Anomaly Detection
• Network analytics• Behavioral anomaly detection• Fully integrated in SIEM
• Turn-key log management and reporting
• SME to Enterprise• Upgradeable to enterprise SIEM
Log Management
• Network security configuration monitoring
• Vulnerability scanning & prioritization• Predictive threat modeling &
simulation
Configuration & Vulnerability Management
![Page 52: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/52.jpg)
QRadar All In One
![Page 53: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/53.jpg)
QRadar Distributed Deployment
![Page 54: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/54.jpg)
SIEM installation – plug&play
Higher capacity / performance support
Basic installation in one week, immediate ROIContinuous development of features and integrationBiggest IT Security solutions portfolio in today’s Security market
![Page 55: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/55.jpg)
IBM leadership – taking it back
CA (DataMinder)
Novell (Sentinel)
Nitro
Fortify, WebInspect
ArcSight
TippingPoint
RSA Access Mgr.
ProtectTools
RSA Live Intelligence
System
Team: RSA FirstWatch
OAM, Novell AM, CA
SiteMinder
Norton AV, iPS
Symantec Client/ Svr. Mgmt. Suite
Symantec DLP Data Theft ProtectionDLP
FW, NBA, IPS
Access Rights Reviews
SecureSphere Web App FW
SecureSphere App Virt. Patching FW, IPS
DLP
Endpoint Disk Encryption
FW, IPS, AV Mobile security
FIM
![Page 56: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/56.jpg)
SIEM Use Cases WordCloud
![Page 57: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/57.jpg)
SIEM Use Cases DefinitionSIEM Use Cases Definition
Requirements
Scope
Event Sources
Response
![Page 58: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/58.jpg)
Your Use Case
Build YOUR own use case!React fasterImprove EfficiencyAutomate Compliance
![Page 59: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/59.jpg)
Use Cases
Vulnerability Correlation Suspicious Access CorrelationFlow and Event Combo CorrelationBotnet Application IdentityVMware Flow AnalysisUnidirectional Flows DetectionVulnerability ReportingData Loss PreventionDouble CorrelationPolicy and Insider Threat Intelligence (Social Media
Use Case)
![Page 60: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/60.jpg)
Use Cases
Detecting Threats or Suspicious Changes in BehaviourPreventative Alerting and Monitoring Compliance MonitoringClient-side vulnerability correlationExcessive Failed Logins to Compliance Servers Remote Access from Foreign Country Logons Communication with Known Hostile NetworksLong Durations Multi-Vector Attack Device stopped sending Data (Out of Compliance)
![Page 61: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/61.jpg)
Social Media Intelligence
Problem:Social media is an increasing threat to an organization's policies and network; company employees are the ones who are most likely to fall victim to social engineering based threats, and serve as entry points for Advanced Persistent Threats.
Solution: Social media Monitoring& Correlation in real-time:
Qradar’s real-time monitoring and correlation of hundreds of social media sites, such as Twitter, Facebook, Gmail, LinkedIn, etc., offers automated application aware insight and identifies social media-based threats by user and application.
![Page 62: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/62.jpg)
Social Media Intelligence
With Qradar, you can:Identify all the source, destination and the actual corporate credit card number leaked.
With Qradar, you can:Identify the user responsible for the data leak.
![Page 63: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/63.jpg)
Data Loss Prevention
Customer Requirement:
Customer wants to detect when an employee may be stealing customer contact info in preparation for leaving the company
Solution:Baseline employee access to CRMDetect deviations from norm: 1,000 transactions (access to
customer records) vs normal 50 per dayBUT…what if the user is tech savvy or has a geek nephew,
and makes a single SQL query to the back end database?Profile network traffic between workstations and back-end
database or policy shouldn’t allow direct access to database from workstations
![Page 64: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/64.jpg)
Data Loss Prevention
Potential Data Loss?Who? What? Where?
Who?An internal user
What?Oracle data
Where?Gmail
![Page 65: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/65.jpg)
Indavertent Wrongdoing
A/V Server
Trying to update the entire internet
Issue bubbled to the top of the offense manager immediately post-installation
Problem had existed for months, but was lost in firewall logs.
A/V clients were badly out of date.
![Page 66: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/66.jpg)
System Misconfiguration
QRadar reports remote sources scanning internal SQL servers Firewall admin insists QRadar is incorrect – absolutely no inbound SQL traffic permitted. But … months earlier user had requested access to SQL server from outside campus Administrator fat-fingered the FW rule and unintentionally allowed SQL access to & from all hosts
![Page 67: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/67.jpg)
Teleportation
Customer Requirement:Customer wanted to detect users that logged in from IP addresses in different locations simultaneously.
Solution: Create rule to test for 2 or more logins from VPN or AD from
different country within 15 minutes Can be extended to check for local login within corporate
network and simultaneous remote login
![Page 68: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/68.jpg)
Purell for your VPN
Customer Requirement:
Customer wanted to detect when external systems over the VPN accesses sensitive servers
Customer was concerned that external system could be infected / exploited through split tunneling and infect sensistive internal servers
Solution: Use latest VA scan of user systems Create BB of OSVDB IDs of concern Detect when external systems with vulnerabilities access
sensitive servers
![Page 69: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/69.jpg)
Uninvited Guests
Customer Requirement:
Wants to identify new systems attached to network. There are active wall jacks throughout building
Solution:Set asset database retention to just beyond DHCP lease time
(1-2 days)—user out of office/on vacation, asset expiresNew machine attaches, rule alertsFlows for real-time detection: no other SIEM can do thisCan alert on VA importIn 7.0, can build up MAC list in reference sets (~2 wks), then
alert when new MAC appears on network
![Page 70: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/70.jpg)
Policy Vialation / Resource Misuse
Customer Requirement:
Detect if there are P2P Server located in Local Area Network
![Page 71: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/71.jpg)
Communication to known Bot C&C
Customer Requirement:
Detect if any of internal system is communicating to known Bot Command and Contrlol
![Page 72: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/72.jpg)
Forensic of Administrative Change
Customer Requirement:New User account creation with administrative privilegesSystem registry change, Application Installed/UninstalledPassword resetService started/stopped
![Page 73: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/73.jpg)
Vulnerability Overview
Customer Requirement:
Generate weekly report for Vulnerabilities
![Page 74: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/74.jpg)
Use Cases Summary
Identify the goal for each event correlation rule (and use case).
Determine the conditions for the alert.
Select the relevant data sources.
Test the rule.
Determine response strategies, and document them.
![Page 75: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/75.jpg)
Qradar latest updates Increased scalability, best HW in market Enhanced asset and vulnerability
functionality Centralized license management Multicultural support (languages) Improved bar and pie charts on the
Dashboard tab Data obfuscation Identity and Access Management (IAM)
integration Browser support Java 7 support 2500 + reports New “QRadar 2100 Light” appliance for
SMB’s New Qradar Forensics appliance New Data Node Appliances
![Page 77: DSS and Security Intelligence @IBM_Connect_2014_April](https://reader036.vdocument.in/reader036/viewer/2022081518/54b6f1f24a795902588b4634/html5/thumbnails/77.jpg)
Think security first