building a next-generation security operation center based on ibm qradar and security intelligence...
Post on 14-Jul-2015
1.132 Views
Preview:
TRANSCRIPT
© 2015 IBM Corporation
Building a Next-Generation Security Operation Center Based on IBM QRadar and Security Intelligence Concepts
Chris Meenan, IBM Security
Vincent Laurens, Sogeti
Overview
1
• Cybersecurity threat environment and main challenges
• The true story behind all this
• What is a Security Operations Center (SOC)
• Introducing QRadar and how it can address pragmatic challenges
• Real-life examples and lessons learned
Main challenges for a SOC
3
Smooth integration
with Processes and
Business
Addressing
compliance from
multiple angles
Lack of Skills within
the Organization
Being able to provide our customers
answers they needs.Solving, in a high-quality manner, the
challenges they have to face.
Diversity and scale
of data to correlateCost effectiveness
SOC Challenges Chain
All these factors MUST become part of the IT comfort zone! Not as straightforward as it
seems!
What is a SOC ?
4
Performing Security Monitoringof IT systems, of industrial systems and data
Scanning, vulnerability assessment
SIEM
Malware defense – sandboxing -
Security Analytics
BIG DATA
GRC …Patch Management …CMDB
Systems and services integration
Managed services
SOCaaS (multi-tenant)
Central Command Centers!
Security Operation Centers are indeed…
Security Operations can drown in systems
• “HiFi Separates” approach has a
situation where enterprises have
dozens of individual security tools
• Security teams struggle
• Lack of skills
• Become stove piped themselves
• Overly dependant on a single tool which has limited visibility and accuracy
IBM QRadar Security SIEM
Providing actionable intelligence
IBM QRadarSecurity Intelligence
Platform
AUTOMATEDDriving simplicity and
accelerating time-to-value
INTEGRATEDUnified architecture delivered in a single console
INTELLIGENTCorrelation, analysis and massive data reduction
Embedded intelligence offers automated offense identification
INTELLIGENT
SuspectedIncidentsServers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
AutomatedOffenseIdentification
• Unlimited data collection, storage and analysis
• Built in data classification
• Automatic asset, service and user discovery and profiling
• Real-time correlation and threat intelligence
• Activity baselining and anomaly detection
• Detects incidentsof the box
Embedded
Intelligence
Prioritized Incidents
An integrated, unified architecture in a single web-based console
LogManagement
Security Intelligence
Network Activity
Monitoring
RiskManagement
Vulnerability Management
Network Forensics
Example 1
SOC for a major Financial Institution internal IT company
Migration from a log correlation engine to a QRadar-based
Security analytics plateform
Strong compliance riquirement
Fully-integrated services
Dedicated reporting
Large coverage of the infrastructure
Integration of business elements
Full Process integration
Targetted KPIs
Lessons Learned
A real project approach is needed
Use QRadar suite out-of-the-box capabilities
Define compliance steps from starts and align with Business and
Risks departments
Monitoring & Analytics
Reporting to Business
Example 2
13
SOC for a major Assurance company in Luxembourg
The word “SIEM” was totally new for them
Complete end-to-end approach based on a maturity analysis
Specific needs
3 Levels of reporting from the SOC: Technies, Security, Business
Cost effectiveness requirements
Assistance to create and maintain a Security Incident Management
Process
Particular threat environement
Mainframe-based core business-app
Lessons Learned
Yes! Specific threat environment exist for Assurance companies
Parallelize scenarios-construction tasks and deployment tasks
Involve compliance officer from start
International Compliance
Specific Reporting
Example 3
14
Client Situation :
Lack of any SOC model and strategy roadmap
There were no trained SOC Operations team or staff
No Security monitoring tool or processes for security incidents
IBM Solution :
Global Installation of the QRadar monitoring tool
Archer Ticketing System implementation (security tickets)
Designed the SOC Organization, Process, People Model
SOC Capacity Modeling
Hired and Trained the client’s SOC Staff (~12 resources)
Implemented SOC Operational Reporting and Executive Dashboards
Client Benefits:
Reduced risks & costs associated with security incidents and data breaches
Addressed compliance issues by establishing clear audit trails for incident
response
Improved security posture with enterprise-wide security intelligence
correlating events from IT & business critical systems/applications.
Profile:
Largest Bank in Canada, 3rd
largest in North America, top 10
globally. The bank serves 18
million clients and has 80,100
employees worldwide.
Driving simplicity and accelerated time to value
QRadar’s ease-of-use in set-up and maintenance
resulted in reduced time to resolve network issues
and freed-up IT staff for other projects.
Private U.S. Universitywith large online education community
Immediatediscovery
of network assets
Proactive vulnerability scans, configuration
comparisons, and policy compliance checks
Simplified deployment
Automated configurationof log data sources
and asset databases
Automated updates
Stay current with latest threats,
vulnerabilities,and protocols
Out-of-the-box rules and reports
Immediate timeto value with built-in
intelligence
IBM QRadar is nearly three times
faster to implement across the
enterprise than other SIEM solutions.
2014 Ponemon Institute, LLC
Independent Research Report
QRadar, Managed SIEM and SOC Consulting
17
SOC Optimization• Security operations maturity
assessment
• SOC strategy and planning
• SOC design and build
• SOC optimization
Want to learn more? Don’t miss the following InterConnect sessions:
SIEM Workshop – Discussion on
Use Case Development and Problem
Solving (Session #4933). Tue 11AM,
Mandalay Bay, Ballroom D
Making Strategic Decisions – What is
the most effective Security Operations
model for you? (Session #4896). Wed
11AM, Mandalay Bay, Lagoon E
Building Intelligent Next Generation
Security Operations Center – How do
I get there? (Session #5198). Wed
3:30PM, Mandalay Bay, Lagoon E
SIEM Optimization• SIEM design and build
• Use case design / log
acquisition
• SIEM implementation
• SIEM optimization
SIEM Management• Real-time threat monitoring,
incident escalation and response
• SIEM administrative support
• SIEM infrastructure management
• Incident analysis and reporting
Augment and
optimize staff
resources
Detect threats others miss with IBM QRadar and Managed SIEM
More quickly
identify and
remediate events
Gain access to
best practice
design expertise
Help reduce
costs and
complexity
IBM Security can help maximize your QRadar investment withSOC and SIEM design, optimization, management and monitoring
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
top related