security management 2.5: replacing your siem yet?
Post on 14-Sep-2014
528 views
DESCRIPTION
Mike Rothman, Analyst and President of Securosis, will be providing some great insight into their latest research paper on “Security Management 2.5: Replacing Your SIEM Yet?”. He will showcase what organizations are requiring from their SIEM solution and why the likes of malware/threat detection and emerging technology (e.g. cloud and mobile), means that it isn’t simply ticking the compliance box anymore. Supporting Mike, will be Chris Meenan, IBM Security QRadar Senior Product Manager, who will discuss how IBM Security are adapting to these findings and discuss the parts of the QRadar platform, including the new incident forensics solution, which help organizations to be one step ahead of the threat. View the full on-demand webcast: https://www2.gotomeeting.com/register/159478066TRANSCRIPT
© 2014 IBM Corporation1IBM ConfidentialIBM Confidential
IBM Security Systems
© 2014 IBM Corporation
Exclusive Analyst Webinar;
Security Management 2.5: Replacing Your SIEM Yet?
April 2nd 2014
© 2014 IBM Corporation2IBM ConfidentialIBM Confidential
IBM Security SystemsIBM Security Systems
Speakers
Mike Rothman, Securosis, President
Twitter: @securityincite
Chris Meenan, IBM Security Systems, QRadar Product Manager
Twitter: @chris_meenan
© 2014 IBM Corporation3IBM ConfidentialIBM Confidential
IBM Security SystemsIBM Security Systems
Agenda
• Security Management 2.5 findings1. Changing Needs
2. Platform Evolution
3. Revisiting Requirements
4. The Rise of Forensics
5. Vendor Evaluation
6. Decision Process
• How IBM Security Intelligence QRadar Platform, helps to answer these findings
• Q&A
© 2014 IBM Corporation4IBM ConfidentialIBM Confidential
IBM Security SystemsIBM Security Systems
Security Management 2.5:SIEM Replacement Analysis
Download the report: http://ibm.co/1luGpl6
Why now?Why now?
• Advanced Adversaries
• Malware detection
• Better analytics
• Technology Disruption
• Cloud
• Mobile
• Advanced Adversaries
• Malware detection
• Better analytics
• Technology Disruption
• Cloud
• Mobile
Changing NeedsChanging Needs
• More Data: To drive deeper analysis
• Requires enhanced speed, scale
and accuracy
• More Flexibility: Support more use
cases — like forensics
• Threat Intelligence: Benefit from the
misfortune of others
• Skills Gap: Better automation and
efficiency
• More Data: To drive deeper analysis
• Requires enhanced speed, scale
and accuracy
• More Flexibility: Support more use
cases — like forensics
• Threat Intelligence: Benefit from the
misfortune of others
• Skills Gap: Better automation and
efficiency
https://flic.kr/p/dcZaG7
Platform EvolutionPlatform Evolution
Architectural EvolutionArchitectural Evolution
• Distributed architecture
• Cooperative cluster for
independently collecting,
digesting and processing events
• Processing events closer to the
data
• Better supports cloud and
virtualization
• Distributed architecture
• Cooperative cluster for
independently collecting,
digesting and processing events
• Processing events closer to the
data
• Better supports cloud and
virtualization
Usability EnhancementUsability Enhancement
• Event/Log enrichment
• Contextual data
• Reporting
• Visualization
• *Real* centralized
management
• Event/Log enrichment
• Contextual data
• Reporting
• Visualization
• *Real* centralized
management
Additional CapabilitiesAdditional Capabilities
• Enhanced Visibility
• More and Better Data
• Better Analysis
• Better Visualization
• Decreased Time to Value — Out
of the box
• Hybrid Deployments — On-Prem,
In Cloud, Managed Services
• Enhanced Visibility
• More and Better Data
• Better Analysis
• Better Visualization
• Decreased Time to Value — Out
of the box
• Hybrid Deployments — On-Prem,
In Cloud, Managed Services
Revisiting RequirementsRevisiting Requirements
Understanding Your RequirementsUnderstanding Your Requirements
Evaluating the IncumbentEvaluating the Incumbent
How well does your SIEM work? How well does your SIEM work?
• Relative to your requirements, evaluate:
• Ability to perform important use cases
• Current performance and architecture
to support required scale
• Analytics (now and future needs)
• Simplicity in maintenance/tuning
• Identify weaknesses/omissions
• Relative to your requirements, evaluate:
• Ability to perform important use cases
• Current performance and architecture
to support required scale
• Analytics (now and future needs)
• Simplicity in maintenance/tuning
• Identify weaknesses/omissions
Lather-Rinse-RepeatLather-Rinse-Repeat
• Goal is to understand what works
and what does not
• Build complete story
• Need to remain objective
• Goal is to understand what works
and what does not
• Build complete story
• Need to remain objective
Forensic Use CaseForensic Use Case• Find root cause analysis• Packet capture• Advanced Searching• Evidence handling (chain of
custody)
• Find root cause analysis• Packet capture• Advanced Searching• Evidence handling (chain of
custody)
http
s://fl
ic.k
r/p/
aokt
o
Security Analytics Use CaseSecurity Analytics Use Case
• Old SIEM required you to know what to look for and build the rules
ahead of time.
• Analytics provides the ability to look at disparate data sources and
find patterns
• Beware of big data mumbo jumbo — Underlying technology not
important
• Key Features• Flexibility critical to support many types of analysis• Ability to add new data types• Accuracy• Visualization and Reporting
• Old SIEM required you to know what to look for and build the rules
ahead of time.
• Analytics provides the ability to look at disparate data sources and
find patterns
• Beware of big data mumbo jumbo — Underlying technology not
important
• Key Features• Flexibility critical to support many types of analysis• Ability to add new data types• Accuracy• Visualization and Reporting
Vendor EvaluationVendor Evaluation
What else is available? What else is available?
• Given your requirements:
• Familiarize yourself with vendors
• Create RFI/RFP
• Create ‘short list’ for eval
• Evaluate based on weighted
requirements
• Select vendors for PoC
• Given your requirements:
• Familiarize yourself with vendors
• Create RFI/RFP
• Create ‘short list’ for eval
• Evaluate based on weighted
requirements
• Select vendors for PoC
Driving the PoCDriving the PoC
• Define real tests
• Stand it up and try it out!
• Red team — test it under fire
• Perform Post-Mortem
• Repeat
• Define real tests
• Stand it up and try it out!
• Red team — test it under fire
• Perform Post-Mortem
• Repeat
Decision ProcessDecision Process
Introspection timeIntrospection time
• Did you fairly evaluate the
incumbent?
• Are your expectations
realistic?
• Is there really budget for a
replacement?
• Did you fairly evaluate the
incumbent?
• Are your expectations
realistic?
• Is there really budget for a
replacement?
Supporting Documentation Supporting Documentation
• You will not get the funding
w/o proper documentation
• The documentation is what
supports your case to
upper management
• Clarity of intent and
objectivity are critical
• You will not get the funding
w/o proper documentation
• The documentation is what
supports your case to
upper management
• Clarity of intent and
objectivity are critical
What to documentWhat to document
• Requirements
• Evaluation of Incumbent
• Challenger assessment
• Cost estimate
• Migration plan
• Recommendation
• Requirements
• Evaluation of Incumbent
• Challenger assessment
• Cost estimate
• Migration plan
• Recommendation
https://flic.kr/p/5WMZ2M
SummarySummary
• Understand your requirements
• Understand current deficiencies
• Critically evaluate incumbent &
challengers
• Read the report for more
information on documenting and
making your case
• Understand your requirements
• Understand current deficiencies
• Critically evaluate incumbent &
challengers
• Read the report for more
information on documenting and
making your case
https://flic.kr/p/5vKanE
© 2014 IBM Corporation26IBM ConfidentialIBM Confidential
IBM Security SystemsIBM Security Systems
IBM Security Intelligence QRadar Platform
© 2014 IBM Corporation
IBM Security Systems
27 27
IBM QRadar Security Intelligence PlatformProviding actionable intelligence
IBM QRadarSecurity Intelligence
Platform
AUTOMATEDDriving simplicity and
accelerating time-to-value
INTEGRATEDUnified architecture delivered in a single console
INTELLIGENTCorrelation, analysis and massive data reduction
© 2014 IBM Corporation
IBM Security Systems
28 28
Consolidation and integration help reduce costs and increase visibility
IBM QRadarSecurity Intelligence
Platform
Packets
Vulnerabilities
Configurations
Flows
Events
LogsBig data consolidation of
all available security information
Traditional SIEM6 products from 6 vendors are needed
Traditional SIEM6 products from 6 vendors are needed
IBM SecurityIntelligence and Analytics
IBM SecurityIntelligence and Analytics
© 2014 IBM Corporation
IBM Security Systems
29 29
SecurityIntelligence
.NEXTNetworkForensics
Incidentforensics
and packet captures
VulnerabilityManagement
Real-time vulnerability
scanning and vulnerability
prioritizations
RiskManagement
Configurationanalysis, policymonitoring, andrisk assessment
LogManagement
Identitymanagement,complete log management,
and compliancereporting
SIEM
SIM and VA integration
Technology additions strengthen QRadar Security Intelligence
Cli
en
t N
ee
ds
Flow Visualization
and NBAD
Anomaly detection
and threat resolution
Pla
tfo
rm e
vo
luti
on
ba
se
d o
n c
lie
nt
ne
ed
s
2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2011 2012 – 2013 2014 Future
IBM acquisition
© 2014 IBM Corporation
IBM Security Systems
30 30
LogManagement
Security Intelligence
Network Activity
Monitoring
RiskManagement
Vulnerability Management
Network Forensics
© 2014 IBM Corporation
IBM Security Systems
31 31
SuspectedIncidents
Prioritized Incidents
Embedded intelligence offers automated offense identification
Servers and mainframesServers and mainframes
Data activityData activity
Network and virtual activityNetwork and virtual activity
Application activityApplication activity
Configuration informationConfiguration information
Security devicesSecurity devices
Users and identitiesUsers and identities
Vulnerabilities and threatsVulnerabilities and threats
Global threat intelligenceGlobal threat intelligence
Extensive Data SourcesExtensive Data Sources
AutomatedOffenseIdentification
• Massive data reduction
• Automated data collection, asset discovery and profiling
• Automated, real-time, and integrated analytics
• Activity baselining and anomaly detection
• Out-of-the box rules and templates
Embedded Intelligence
© 2014 IBM Corporation
IBM Security Systems
32 32
SuspectedIncidents
Prioritized Incidents
Extend clarity around incidents with in-depth forensics data
Directed Forensics Investigations
• Rapidly reduce time to resolution through intuitive forensic workflow
• Use intuition more than technical training
• Determine root cause and prevent re-occurrences
Embedded Intelligence
© 2014 IBM Corporation
IBM Security Systems
33 33
Visit IBM Security: www.ibm.com/security
Learn more:
Download the Securosis paper: http://ibm.co/1luGpl6
Read: http://securosis.com/blog
Attend our webcast on QRadar Incident Forensics, 15th April: http://ibm.co/QRIF
© 2014 IBM Corporation
IBM Security Systems
34 34
Thank You.Any Questions?
© 2014 IBM Corporation
IBM Security Systems
35 35
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.