total integrated security solution - accueil - eb-qual sa · pdf file ·...

|

Total Integrated Security Solution Fabien Broillet – Technical Director [email protected]

IT Security Intelligence with QRadar

[email protected] www.eb-qual.ch

What is Security Intelligence?

3

Security Intelligence provides actionable and comprehensive insight for

managing risks and threats from protection and detection through remediation


Security Intelligence like Business Intelligence

4


IBM Security Intelligence

Total Integrated Security Solution

5


Solution for the full Security Intelligence

6


IBM QRadar


7


Built upon common foundation of QRadar SIOS

8


Taking in data from wide spectrum of feeds

9


And continually adding context for increased

accuracy

10


Two deployment models: All-in-One & Distributed

11


Deployed upon scalable appliance architecture

13


Using fully integrated architecture and interface

14


QRadar SIEM


15


QRadar SIEM

Command Console for Security Intelligence

16


QRadar SIEM

Flows - Context for true network intelligence

17


QRadar Vulnerability Manager


18


QRadar Vulnerability Manager

Strengthened by integrated vulnerability insights

19


The Proof by example


21


QRadar Customer Concrete Case …

Offenses overview

22



23



24



Let's go into the details

25



Web servers only as targeted IP’s !

26



Let’s have a look on a specific targeted Web server …

27



Concerned Firewall Logs

28



Concerned IPS Logs

29



Correlation Rule matched

30


Remote Web Scanner Detected When an event matches any of these CategoryDefinition:

Recon Events

Suspicious Events

With the same source IP more than 5 times, across more than 59 dest. IP within 10 minutes

When the context is:

Remote to Local

Remote to Remote

When a flow or an event matches any of the following PortDefinition:

Web Ports

Reports a remote host attempting reconnaissance or suspicious connections on common local

web server ports to more than 60 hosts in 10 minutes.


31



Correlation Rules matched

32


Exploit/Malware Event Across Multiple Destinations NOT when an event matches any of the following Exploit:

Destination Vulnerable to Detected Exploit on a Different Port

When an event matches any of these CategoryDefinition:

Exploits Backdoors

Trojans

With the same source IP more than 5 times, across more than 5 destination IP within 5 minutes

Reports a source IP address generating multiple (at least 5) exploits or malicious software

(malware) events in the last 5 minutes. These events are not targeting hosts that are

vulnerable and may indicate false positives generating from a device.


33


Exploit Attempt Proceeded by Recon When all of these ReconDetected:

All Recon Rules

When all of these CategoryDefinition

Exploits Backdoors

Trojans

From the same source IP to the same destination port, over 1 hours

Reports reconnaissance followed by an exploit from the same source IP address to the same

destination port within 1 hour.


34


Main Challenge completed !

35

Many heterogeneous & unstructured data …


Main Challenge completed !

36

Keeping ressources & effort on key elements


In Conclusion

QRadar leverages our logs to detect major incidents, but…

QRadar leverages open services to be even more accurate What to do if we have no idea about Services present in an Offense raised by the system ?

Consider collecting network flows through QFlow collector !

QRadar leverages present vulnerabilities to be even more accurate What to do if we have no idea about the vulnerabilities present in an Offense raised by the

system ?

Consider collecting vulnerabilities posture through QRadar Vulnerability Manager

QRadar leverages Geo location & IP reputation to be more useful Consider having powerful services like IBM Security Intelligence Feeds

37


Fabien Broillet

Technical Director

eb-Qual AG

Oberfeldstrasse 20

8302 Kloten

THANK YOU

Tel. 043 211 47 20

Fax 043 211 47 29

total integrated security solution - accueil - eb-qual sa · pdf file ·...

Documents