security management 2.5: replacing your siem yet?

© 2014 IBM Corporation1IBM ConfidentialIBM Confidential

IBM Security Systems

© 2014 IBM Corporation

Exclusive Analyst Webinar;

Security Management 2.5: Replacing Your SIEM Yet?

April 2nd 2014


IBM Security SystemsIBM Security Systems

Speakers

Mike Rothman, Securosis, President

[email protected]

Twitter: @securityincite

Chris Meenan, IBM Security Systems, QRadar Product Manager

[email protected]

Twitter: @chris_meenan



Agenda

• Security Management 2.5 findings1. Changing Needs

2. Platform Evolution

3. Revisiting Requirements

4. The Rise of Forensics

5. Vendor Evaluation

6. Decision Process

• How IBM Security Intelligence QRadar Platform, helps to answer these findings

• Q&A



Security Management 2.5:SIEM Replacement Analysis

Download the report: http://ibm.co/1luGpl6

Why now?Why now?

• Advanced Adversaries

• Malware detection

• Better analytics

• Technology Disruption

• Cloud

• Mobile

• Advanced Adversaries

• Malware detection

• Better analytics

• Technology Disruption

• Cloud

• Mobile

Changing NeedsChanging Needs

• More Data: To drive deeper analysis

• Requires enhanced speed, scale

and accuracy

• More Flexibility: Support more use

cases — like forensics

• Threat Intelligence: Benefit from the

misfortune of others

• Skills Gap: Better automation and

efficiency

• More Data: To drive deeper analysis

• Requires enhanced speed, scale

and accuracy

• More Flexibility: Support more use

cases — like forensics

• Threat Intelligence: Benefit from the

misfortune of others

• Skills Gap: Better automation and

efficiency

https://flic.kr/p/dcZaG7

Platform EvolutionPlatform Evolution

Architectural EvolutionArchitectural Evolution

• Distributed architecture

• Cooperative cluster for

independently collecting,

digesting and processing events

• Processing events closer to the

data

• Better supports cloud and

virtualization

• Distributed architecture

• Cooperative cluster for

independently collecting,

digesting and processing events

• Processing events closer to the

data

• Better supports cloud and

virtualization

Usability EnhancementUsability Enhancement

• Event/Log enrichment

• Contextual data

• Reporting

• Visualization

• *Real* centralized

management

• Event/Log enrichment

• Contextual data

• Reporting

• Visualization

• *Real* centralized

management

Additional CapabilitiesAdditional Capabilities

• Enhanced Visibility

• More and Better Data

• Better Analysis

• Better Visualization

• Decreased Time to Value — Out

of the box

• Hybrid Deployments — On-Prem,

In Cloud, Managed Services

• Enhanced Visibility

• More and Better Data

• Better Analysis

• Better Visualization

• Decreased Time to Value — Out

of the box

• Hybrid Deployments — On-Prem,

In Cloud, Managed Services

Revisiting RequirementsRevisiting Requirements

Understanding Your RequirementsUnderstanding Your Requirements

Evaluating the IncumbentEvaluating the Incumbent

How well does your SIEM work? How well does your SIEM work?

• Relative to your requirements, evaluate:

• Ability to perform important use cases

• Current performance and architecture

to support required scale

• Analytics (now and future needs)

• Simplicity in maintenance/tuning

• Identify weaknesses/omissions

• Relative to your requirements, evaluate:

• Ability to perform important use cases

• Current performance and architecture

to support required scale

• Analytics (now and future needs)

• Simplicity in maintenance/tuning

• Identify weaknesses/omissions

Lather-Rinse-RepeatLather-Rinse-Repeat

• Goal is to understand what works

and what does not

• Build complete story

• Need to remain objective

• Goal is to understand what works

and what does not

• Build complete story

• Need to remain objective

Forensic Use CaseForensic Use Case• Find root cause analysis• Packet capture• Advanced Searching• Evidence handling (chain of

custody)

• Find root cause analysis• Packet capture• Advanced Searching• Evidence handling (chain of

custody)

http

s://fl

ic.k

r/p/

aokt

o

Security Analytics Use CaseSecurity Analytics Use Case

• Old SIEM required you to know what to look for and build the rules

ahead of time.

• Analytics provides the ability to look at disparate data sources and

find patterns

• Beware of big data mumbo jumbo — Underlying technology not

important

• Key Features• Flexibility critical to support many types of analysis• Ability to add new data types• Accuracy• Visualization and Reporting

• Old SIEM required you to know what to look for and build the rules

ahead of time.

• Analytics provides the ability to look at disparate data sources and

find patterns

• Beware of big data mumbo jumbo — Underlying technology not

important

• Key Features• Flexibility critical to support many types of analysis• Ability to add new data types• Accuracy• Visualization and Reporting

Vendor EvaluationVendor Evaluation

What else is available? What else is available?

• Given your requirements:

• Familiarize yourself with vendors

• Create RFI/RFP

• Create ‘short list’ for eval

• Evaluate based on weighted

requirements

• Select vendors for PoC

• Given your requirements:

• Familiarize yourself with vendors

• Create RFI/RFP

• Create ‘short list’ for eval

• Evaluate based on weighted

requirements

• Select vendors for PoC

Driving the PoCDriving the PoC

• Define real tests

• Stand it up and try it out!

• Red team — test it under fire

• Perform Post-Mortem

• Repeat

• Define real tests

• Stand it up and try it out!

• Red team — test it under fire

• Perform Post-Mortem

• Repeat

Decision ProcessDecision Process

Introspection timeIntrospection time

• Did you fairly evaluate the

incumbent?

• Are your expectations

realistic?

• Is there really budget for a

replacement?

• Did you fairly evaluate the

incumbent?

• Are your expectations

realistic?

• Is there really budget for a

replacement?

Supporting Documentation Supporting Documentation

• You will not get the funding

w/o proper documentation

• The documentation is what

supports your case to

upper management

• Clarity of intent and

objectivity are critical

• You will not get the funding

w/o proper documentation

• The documentation is what

supports your case to

upper management

• Clarity of intent and

objectivity are critical

What to documentWhat to document

• Requirements

• Evaluation of Incumbent

• Challenger assessment

• Cost estimate

• Migration plan

• Recommendation

• Requirements

• Evaluation of Incumbent

• Challenger assessment

• Cost estimate

• Migration plan

• Recommendation

https://flic.kr/p/5WMZ2M

SummarySummary

• Understand your requirements

• Understand current deficiencies

• Critically evaluate incumbent &

challengers

• Read the report for more

information on documenting and

making your case

• Understand your requirements

• Understand current deficiencies

• Critically evaluate incumbent &

challengers

• Read the report for more

information on documenting and

making your case

https://flic.kr/p/5vKanE



IBM Security Intelligence QRadar Platform



27 27

IBM QRadar Security Intelligence PlatformProviding actionable intelligence

IBM QRadarSecurity Intelligence

Platform

AUTOMATEDDriving simplicity and

accelerating time-to-value

INTEGRATEDUnified architecture delivered in a single console

INTELLIGENTCorrelation, analysis and massive data reduction



28 28

Consolidation and integration help reduce costs and increase visibility

IBM QRadarSecurity Intelligence

Platform

Packets

Vulnerabilities

Configurations

Flows

Events

LogsBig data consolidation of

all available security information

Traditional SIEM6 products from 6 vendors are needed

Traditional SIEM6 products from 6 vendors are needed

IBM SecurityIntelligence and Analytics

IBM SecurityIntelligence and Analytics



29 29

SecurityIntelligence

.NEXTNetworkForensics

Incidentforensics

and packet captures

VulnerabilityManagement

Real-time vulnerability

scanning and vulnerability

prioritizations

RiskManagement

Configurationanalysis, policymonitoring, andrisk assessment

LogManagement

Identitymanagement,complete log management,

and compliancereporting

SIEM

SIM and VA integration

Technology additions strengthen QRadar Security Intelligence

Cli

en

t N

ee

ds

Flow Visualization

and NBAD

Anomaly detection

and threat resolution

Pla

tfo

rm e

vo

luti

on

ba

se

d o

n c

lie

nt

ne

ed

s

2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2011 2012 – 2013 2014 Future

IBM acquisition



30 30

LogManagement

Security Intelligence

Network Activity

Monitoring

RiskManagement

Vulnerability Management

Network Forensics



31 31

SuspectedIncidents

Prioritized Incidents

Embedded intelligence offers automated offense identification

Servers and mainframesServers and mainframes

Data activityData activity

Network and virtual activityNetwork and virtual activity

Application activityApplication activity

Configuration informationConfiguration information

Security devicesSecurity devices

Users and identitiesUsers and identities

Vulnerabilities and threatsVulnerabilities and threats

Global threat intelligenceGlobal threat intelligence

Extensive Data SourcesExtensive Data Sources

AutomatedOffenseIdentification

• Massive data reduction

• Automated data collection, asset discovery and profiling

• Automated, real-time, and integrated analytics

• Activity baselining and anomaly detection

• Out-of-the box rules and templates

Embedded Intelligence



32 32

SuspectedIncidents

Prioritized Incidents

Extend clarity around incidents with in-depth forensics data

Directed Forensics Investigations

• Rapidly reduce time to resolution through intuitive forensic workflow

• Use intuition more than technical training

• Determine root cause and prevent re-occurrences

Embedded Intelligence



33 33

Visit IBM Security: www.ibm.com/security

Learn more:

Download the Securosis paper: http://ibm.co/1luGpl6

Read: http://securosis.com/blog

Attend our webcast on QRadar Incident Forensics, 15th April: http://ibm.co/QRIF



34 34

Thank You.Any Questions?



35 35

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.