nowhere to hide: expose threats in real-time with ibm qradar network insights
TRANSCRIPT
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
November 16, 2016
Jay Bretzmann, QRadar Portfolio MarketingTom Obremski, QRadar Offering ManagementPeter Szczepankiewicz, QRadar Offering Management
2
Today’s speakers
Jay BretzmannQRadar Portfolio Marketing
Tom ObremskiQRadar Offering Management
Peter SzczepankiewiczQRadar Offering Management
3
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers
4
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers
5
IBM QRadar Security Intelligence Platform
Malware and APT Insider threat Risk and Vulnerabilities
Incident Response
Compliance Reporting Securing Cloud
6
QRadar Sense Analytics™
Quickly and easily detects Insider Threats, Malicious Behaviors, Malware, and Risks
Sense Analytics helps: Quickly identify Insider threats, malware, APT and other
abnormal behavior Simplify and reduce incident analysis effort through
automatic identification and relating of abnormal activities Uncover risks though automatic discovery and behavioral
profiling of devices, users, assets and applications Enable rapid time to value with automated security data
discovery and classification, and integrated network and end point scanning
Stay ahead of attacks with automatic updates of threats, vulnerabilities and new security use cases on the IBM App Exchange
7
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers
8 IBM Security
Today’s Challenges: Why are they so hard to solve?
Advanced Threats: greater sophistication & improved stealth
Real-time threat detection lacks the necessary security context
Real time visibility of network context and numbers of false positive alerts
• Threats hide in normal application traffic, DNS, web, email, file transfers
• Malicious actors are stealthy, making lateral movements and exfiltrate data
• Current logs & flows don’t provide consistent visibility across the threat lifecycle
• PCAP data is expensive primarily used for post incident forensics analysis
• Over-sensitive tools creating too many false positives
• Lack of infrastructure and communication context to improve threat detection accuracy
Advanced threats | Phishing e-mails | Malware | Data exfiltration | Compliance gaps | DNS abuse
9
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers
10 IBM Security
Today’s Exciting News!
Announcing NEW IBM QRadar Network Insights (QNI)
• Innovative network analytics solution that will quickly and easily detect insider threats, data exfiltration and malware activity
• Logs and network flow data not providing enough visibility
• Records application activities, captures artifacts, and identifies assets, applications and users participating in network communications
• Configurable analysis from network traffic for real time threat detection and long-term retrospective analysis
• New Appliance with out-of-the-box content on the App Exchange for fast time to value and best practices
11 IBM Security
IBM QRadar Network Insights – Leaves nowhere to hide
Innovative network threat analytics
Improved threat detection Long-term retrospective analysis
• Essential threat indicators gathered from network traffic in real-time
• Threats are hunted and traced with full visibility of network traffic
• Threats are qualified by correlating network insights with logs from security devices
• Discovered devices, users, application cataloged for improved context
• Activities relating to applications, assets, artifacts and users can be collected selectively
• Hidden risks and threats revealed through historical analysis employing latest intelligence
12 IBM Security
Providing complete coverage and threat detection
Network Tap
QRadar
QRadar Network Insights
QRadar Incident Forensics
QRadar Network Packet Capture
Incident Detection & Qualification
Root Cause Analysis
QRadar Processors
Endpoint Network Cloud
IBM AND BP INTERNAL USE ONLY
13 IBM Security
QRadar QNI – Completing the picture
• What is out there ?• Who is talking to whom ?• What files and data are being
exchanged ?• Do they look malicious ?• Do they contain any important or
sensitive data ?• Is this malicious application use ?• Is this new threat on my network ? • If so, it where is it and what did it
do ?
Filling in the important gapsBASIC
ENRICHED
ADVANCED
14 IBM Security
Covering the threat lifecycle: Phishing
Phishing works“95 percent of all attacks on enterprise networks are the result of successful spear phishing.”
- SANS Institute
Detect phishing e-mails before users have a chance to open themDetect and extract suspicious e-mail subject lines, content and attachments helping QRadar detect attacks before users access their inbox.
Someone fell for it… againQuickly determine who was phished, how they responded, and who is compromised.
Email field
analysis
Invalidcertificatedetection
E-mailsubject lines
AnomalousDNS
lookups
Huntingfor others
who receivedthe e-mail
Embeddedscripts in
attachments
BASIC
ENRICHED
ADVANCED
15 IBM Security
Finds Insider Threats
Exposure to Insider Risk“55% of all attacks were carried out by malicious insiders or inadvertent inside actors.”
- IBM 2015 Cyber Security Intelligence Index
“Insider risk can be more than a threat to IT systems or data loss – it can result in physical harm or sabotage.”
- Carnegie Mellon SEI
Enhances QRadar/UBA for unique insider threat detectionIdentify unapproved web browsing or searches, Recognize access of risky or suspicious domains, trace activities following anomalous behaviors, resolve aliases and privileged identities triggered by suspicious content, seamlessly feeding QRadar UBA
Internet bound data
AnomalousDNS
queries
Interactionwith
malicioussources
E-mail subject
lines
Abormalcrown jewel comms amd
transfer
PI data detection
Who is talking to
whom
Web Site content
Email content
BASIC
ENRICHED
ADVANCED
16 IBM Security
Key use example: All customers care about data exfiltration
Secrets being exposed“50% of organizations believe they have regular confidential data leakage”
- Enterprise Management Associates
My proprietary data was posted where?!?Uncover sensitive data leaving the network via e-mail, chat messages, files or social media in real time. Knowledge of these transfers helps QRadar differentiate authorized vs. unauthorized actions speeding incident response.
Detect credit
card data
Abnormal DNS
payload
What user IDs where used
Detect PI data in flight
Excessive file
transfers
Detectwatermarks
andconfidential
branding
Where didthe file go
Capturefile
properties
Othersuspect content
Hunting for what else was exfiltrated
BASIC
ENRICHED
ADVANCED
17 IBM Security
Take your threat detection and risk visibility to new levels
• Quickly and easily discovers insider threats, malware and APTs
• Uncovers hidden risks with automatic visibility of devices, users and applications
• Seamlessly integrated with QRadar lowering costs and increasing threat detection accuracy
• Easily scales from the smallest to largest network as you grow
18
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers
19
All Originating Email Users
20
Drill down. All Email Sent with attachments
21
Email Senders – Pivot. Analyze. Drill into one email sender
22
File Integrity Hashes
23
Anomaly Incident – Pervasive File
24
Another ExampleBegin with a Chained Incident – Phishing and Lateral Movement
25
Where did the attacker hop to?
26
Who sent the phishing email?
27
What was the email attachment?
28
Who else received the same phishing email?
Questions and Answers
IBM QRADAR NETWORK INSIGHTS
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
Additional Use CasesIBM QRADAR NETWORK INSIGHTS
32 IBM Security
Covering the threat lifecycle: Malware detection and analysis
Malware is pervasive“600%+ increase in attachment-based versus URL delivered malware attacks from mid 2014 to 2015”
- Proofpoint
“50% increase in email attacks where macros are the method of infection”
- Clearswift.com
No file goes unnoticedQRadar Network Insights knows the details of every file; from the file name, type, entropy, embedded scripts and file hash to where it came from and where it was sent.With QRadar and Threat Intelligence from X-Force Exchange, it becomes clear when malware have evaded detection.
Suspect content
detection
Talking withmalicioussources
DNSsystemabuse
File typemismatch
File hashthreat
intelligencecorrelation
Embeddedscript
detection
Huntingfor whereit went
Pluggablemalware
signatures
BASIC
ENRICHED
ADVANCED
33 IBM Security
Discover what is out there
Uncover what is being used“50% of organizations don’t know what they’ve deployed or are using”
Discover the unknownAutomatically discover assets, devices, servers, services, applications, users, internet services. Drives improved threat detection, security and compliance
Detect credit
card data
Discovershadow
IT
Find web apps and database
Detectwatermarks
andconfidential
branding
Identify assets
Capturefile
properties
Recognize services
Discoverservices
BASIC
ENRICHED
ADVANCED
34 IBM Security
Improved threat detection with additional context
Reduce the work with better accuracy“42% of organizations don’t process a significant number of alerts”
- ESG research
Too much noiseLack of important context and results in security teams being plagued with false positives. Identifying what assets, devices, users and applications are on the network and understanding their behavior patterns, when analyzed with event data in QRadar can significantly improve the accuracy of alerts based on what appears to be anomalous behaviors
Find web apps and
db servers
Discover and catalogue
servers
Understanddata flowdirection
Discoverservices
Recorddataflow
volumes
Evaluatereputation
Reveal webCategories
Baselinenormal
behavior
Highlightsensitive
data
BASIC
ENRICHED
ADVANCED
35 IBM Security
Zero-day threat detection
Rate of new Zero-Day threats are increasing“Zero-Day Discoveries A Once-A-Week Habit”
- Dark Reading
Detect what others missTraditional means of detection and prevention may be blind to new zero-day attacks, but QRadar Network Insights can help identify the symptoms to enable timely detection and remediation.
Application
HTTP headers
IPReputation
NewConnections Beaconing
Baselinenormal
behaviorDNS
FlowDuration
BASIC
ENRICHED
ADVANCED
36 IBM Security
Managing social media risk
Social media is becoming a favored tool for attacks“160,000 Facebook pages are hacked a day”
- New York Post
Social media is important but risky for businessesWhether threat actors use it for phishing, a channel to distribute malware, or to gain identity or passwords information, social media usage (whether sanctioned or not) poses a threat to businesses.Personal use of social media can easily cross boundaries that compromise your company’s reputation, your assets and your customers. Real-time contextual content analysis is key for detect usage that has simply gone too far.
Application
Contentand
Context
PhishingDetection
URLs MalwareDetection
Usagevs.
Policy
Detectsensitive
data
BASIC
ENRICHED
ADVANCED