IBM Security Intelligence

Actualización
IBM #QRADAR

Carmen Ces & Emilio Andrés

IBM Security Intelligence Technical Sales

10 Julio 2017
 Agenda

1. Sección General:
a. Posicionamiento
b. Portfolio – Qué vendemos?
c. Colaboración para combatir (App Exchange, App Framework-SDK, AppNode)
d. Algunas novedades core (Nuevos appliances core, Licenciamiento)
e. Novedades destacadas en cuanto a releases

2. Sección: Productos existentes a destacar:

a. User Behavior Analytics
b. QRadar Network Insight
c. Resilient
d. QRadar Advisor with Watson

3. Sección: Aplicaciones existentes y Roadmap

4. Sección: Recursos técnicos para BPs

2 IBM Security
General Section
 Today’s security drivers

ADVANCED
COMPLIANCE SKILLS GAP
ATTACKS

HUMAN
INNOVATION
ERROR

4 IBM Security
 Why a security immune system…and why now?

Our clients say they need a better approach than a fragmented, disconnected,
inefficient collection of point products
Threat sharing Virtual patching
Network visibility Indicators of compromise
Incident response
Sandboxing
Application security
Content security Access management management
IP reputation Firewalls
Log, flow, data, Antivirus
user-behavior Criminal
Incident forensics and analysis detection Data access control Entitlements and
threat management roles

Privileged identity
Fraud management Endpoint patching
Malware protection
protection and management
Transaction
Vulnerability protection
Workload
protection management
Application scanning
Identity management
Device management Anomaly Data monitoring
Cloud access
detection security broker

5 IBM Security
 It’s time to take a more holistic view of your security portfolio

Some organizations report using

as many as

85
security products from more than

40
vendors—a costly approach

6 IBM Security
 IBM helps protect against new and complex security challenges

SECURITY SECURITY INFORMATION

TRANSFORMATION OPERATIONS RISK AND
SERVICES AND RESPONSE PROTECTION

Optimize your security Orchestrate your defenses Keep your critical

program with skills to throughout the entire attack information protected while
address modern day risks lifecycle accelerating the business

7 IBM Security
 Upgrade your defenses with a coordinated platform to outthink threats

PREDICT

Continuously stop attacks Discover unknown threats

and remediate vulnerabilities with advanced analytics
• Disrupt malware and exploits • See attacks across the enterprise
• Discover and patch endpoints • Sense abnormal behaviors
• Automatically fix vulnerabilities • Hunt for cyber attackers
• Automatically prioritize threats

RESPOND

Respond to incidents quickly, with precision

• Orchestrate and automate • Hunt for indicators
incident response using deep forensics

8 IBM Security
 Security Operations and Response
Indicators of compromise
App Exchange X-Force Exchange
IP reputation
Threat sharing

BigFix Network Protection XGS

SECURITY OPERATIONS
AND RESPONSE
QRadar SIEM
Threat and anomaly detection
QRadar Vulnerability / Risk Manager
Vulnerability management
MaaS360
QRadar Advisor with Watson
Cognitive security
QRadar Incident Forensics
Network forensics and threat management
Virtual patching
QRadar User Behavior Analytics
User behavior analysis
Resilient Incident Response Trusteer Pinpoint
Incident response
Trusteer Mobile
i2 Enterprise Insight Analysis Trusteer Rapport

INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
AppScan Cloud Identity Service
zSecure
Cloud Security

SECURITY TRANSFORMATION SERVICES

Management consulting | Systems integration | Managed security

9 IBM Security
 QRadar Product Portfolio
IBM XForce Exchange

IBM Application Exchange QRadar UBA QRadar Advisor

(Network Platform for Security
intelligence Collaboration)
(User Behavior Analytics) with Watson

Logs
QRadar Log Manager
(without correlation)
Flows
QRadar SIEM
(Security
Ofenses
Vulnerabilities
Intelligence and
Sense Analytics)

QVM QRM QFlow QNI QRIF QNS Resilient

QRadar QRadar QRadar QRadar QRadar
Vulnerability Risk Network Incident Network Resilient
Manager QRadar Insights Forensics
Manager Security (XGS) Incident
Flow Response
Capture, store and
Generate flows with index network
Next Generation
Platform
Generates metadata (file: traffic. It allows to Intrusion Prevention
Vulnerabilities Network Layer 7 flows name, hash, size rebuild traffic & System – Network
Topology & mail: subject, from, content (files, voip, Protection (include ssl
Scanner inspection)
Risk Analysis to, HTTP, DNS, etc) etc)

10 IBM Security
 IBM QRadar: Continued investment based on client needs

Incident
Response
on client needs

Security
Intelligence Build and
Network execute an
on Cloud
automated
Forensics
Flexible solution incident
Vulnerability
Incident that can deploy as response
and Risk forensics either a true SaaS plans
Log
Needs

Management and packet offering or combine

Clientbased

Management captures with hybrid cloud

SIEM Real-time
Identity vulnerability environments to
SIM and management, improve visibility
Flow scanning and
Platform evolution

VA integration complete log prioritizations, into cloud-based

Visualization management, applications
combined with
and NBAD and compliance configuration
Anomaly reporting analysis, policy
detection monitoring, and
and threat risk assessment
resolution

2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2013 2014 2015 2016

11 IBM Security
 Analyst recognition

IBM Security Intelligence

§ Leader in the Gartner Magic Quadrant since 2009

Security Information and Event Management (SIEM)

§ #1 in SIEM market share by Gartner and IDC

§ #1 IDC Security Vulnerability Management (including SIEM)

§ 2016 SANS Best SIEM Solution

§ “By integrating the UBA App with QRadar, and making it easy to
deploy via the Security App Exchange, IBM has established a strong
differentiator in the increasingly crucial field of security analytics.”
TBRI

12 IBM Security
Collaboration to combat the
criminals

§ Application Exchange
§ QRadar Application Framework - SDK
§ Application Node
 Criminals are organized and collaborate on a global scale

Increasing Unpatched User Resource

Complexity Vulnerabilities Negligence Constraints

Criminals create and share easy-to-use,

sophisticated, powerful weapons

An open ecosystem is key to Security Operations and Response practices

14 IBM Security
 IBM Security Application Exchange

A New Platform for

Security Intelligence Collaboration VALIDATED CONTENT
Tested, validated content
minimizing risk, ensuring
consistency and quality

INNOVATION
New agile capabilities
from partners, IBM,
Security research and
other vendors

DIFFERENTIATION
Enables service provider
and business partner
value add and
differentiation

Single collaboration platform for rapidly delivering SPEED

new apps and content for IBM Security solutions Jump start security operations
with feature rich extensions and
integrations

15 IBM Security
 Where to find the IBM Security Application Exchange
1 https://exchange.xforce.ibmcloud.com/hub

§ Extension Management window within QRadar UI

- Manage (Add, Install, Uninstall, Delete) your applications on your deployment
16 IBM Security
 QRadar Application Framework underlies development and sharing
§ More flexibility and less complexity
§ Economic and operational benefit
§ Seamlessly integrated workflow
§ Bundled components support new use cases
§ Provides a delivery mechanism for application creation

QRadar API Components

QRadar API
Components

New Open API

Enables rapid
innovation and
Open APIs for rapid innovation and creation creation

For easily consumable

cybersecurity capabilities
Cybersecurity
Use Cases Insider Threats Internet of Things Incident Response

*IBM QRadar SDK: https://exchange.xforce.ibmcloud.com/hub/extension/517ff786d70b6dfa39dde485af6cbc8b

17 IBM Security
 QRadar GUI Application Framework (SDK) – creates easy to use UI
and workflow
§ The QRadar GUI Application Framework (SDK) allows the development of new modules
that integrate with the existing QRadar user interface and expose new capabilities to it.
§ Applications have the ability to define their own custom dashboard items, buttons,
configuration pages, and menu actions, as well as other capabilities.
§ Applications are isolated from the QRadar user interface runtime, and each one has their
own dedicated memory allocation and a defined amount of CPU resources allocated to it.

Secure Container
- Dedicated Memory Allocation and Defined CPU Resources
- Docker ensures GUI App code in one container cannot affect code in another container
- Docker ensures GUI App code cannot interfere or interact directly with QRadar

§ The main web language used to author an application is Python, and the Flask Micro
Framework is integrated and available for use by the application.
*However, applications are free to include other additional packages and runtimes as required.

https://www.python.org/
https://flask.pocoo.org/

*Demo - https://youtu.be/_A5ogClea8g
18 IBM Security
 QRadar App Development Center
What is it?
§ The QRadar App Developer Center is a
landing site for anything app development
related. This is a free site and open to any
users. An IBM ID is required to download
the SDK from the IBM Security App
Exchange.
§ https://developer.ibm.com/qradar
19 IBM Security
Information available:
§ Download the SDK
§ Learn about what’s new
§ Read documentation
§ Blogs from developers
§ Talk with developers on our forum
§ App troubleshooting information
§ Learn about submitting apps
(partners only at this time)
§ Business Partner information
 IBM Security App Exchange: External Validation Process

ü Log into IBM Security App
Exchange Technical Community
with your IBM ID.
ü Submit the Validation Document,
and required documentation.
ü Package is reviewed by
PartnerWorld Validation Lab.
ü Feedback, Approval and access
to QRadar DeveloperWorks is
granted.
ü App reviewed by IBM QRadar to ü App posted in IBM Security App
ensure solution is free of security Exchange
exposures and performance
inhibitors.
ü App posted IBM PartnerWorld
ü Feedback Ready for Security Intelligence
Catalog
ü Approval
ü BP is issued IBM Ready for
Security Intelligence Mark

ü Access the Security App

Exchange Tutorial and SDK
through QRadar Developer Works

ü Submit App and relevant App

documentation through IBM
Security App Exchange Technical
Community

1 1 1
week week week
Certification Timeline

20 IBM Security
 IBM QRadar Application Editor (2Q 2017)

APP DEVELOPMENT
TOOL
- Real time QRadar App editing
and creating
- CSS/HTML made easier
- Create or Edit Apps easily
- Simplifies Installs & Upgrades
- Quicker results for App
Developers
- Manifest validation
- Work on multiple apps
versions
- Speeds up App Development
- Integration with Github (*)

https://exchange.xforce.ibmcloud.com/hub/extension/5d0f3f37cc5c4d16ccafe9d40d8dffe5

21 IBM Security
 Inter-App Communications (Named Services)
In 7.3, we have also expanded the application
framework to allow applications to talk to each
other.

In essence, apps can now register a service

with QRadar (named) that can be accessed
through the RestAPI facilities of QRadar.

Once registered, any other application can

simply invoke these named services to exploit
the capabilities being published by the app.

Service are defined with the app manifest.json

and the framework registers it to the API.

22 IBM Security
 QRadar Application Node (Q1 2017 – 7.3)
• Prior to 7.3, all QRadar Applications have been installed
and run on the QRadar Console. This means for each
QRadar Application that is downloaded and installed, a Apps
small portion of the consoles resources (RAM, CPU and
Storage) is used up and not available for normal console
operation.
• It’s like a Data Node but for Apps !
With the QRadar App Node, all applications are now
offloaded to a new host, releaving the console from the
processing load. This also permits applications with
significant resources requirements access to those
resources (UBA, Spark, etc)
• A scalable application platform
• Plans to support Spark & Hadoop
• Ease of deployment: on prem or cloud
App Nodes can reside on premise on traditional
appliance type form factors or within a virtualized
infrastructure. The only requirement for an App Node is
that it be running RHEL 7 or CentOS 7 at the time it is
added to QRadar.

23 IBM Security
 Requires an integrated ‘Above SIEM’ solution set for the SOC

ABOVE THE SIEM

Incident Response
Orchestration
Cognitive Security
Hunting
User and Entity Behavior

SIEM LAYER
Event Correlation IBM QRadar Security Intelligence
and Log Management

BELOW THE SIEM

New Security Operations Tools

24 IBM Security
Highlight news on Core

§ New Core Appliances

§ New Licensing & Deployment examples
§ Additional Products
 New Core Appliances

26 IBM Security
 New Core Applications
We also have two new appliance form factors that have been released within the last few months.

The QRadar xx29, which is the generational update of our xx28 and provides an excellent platform for all host
types for our clients with medium to large scale deployments.

The QRadar xx48 is the newest addition to the appliance family and is targeted at enterprise clients with very
high performance requirements around data searching and analysis. The xx48 also comes with an 80K EPS
certification for event collection which makes it an excellent choice for clients looking to consolidate their
existing deployments or even for Telco type clients with onerous collection needs.

xx48 xx29
- For large system consoles (6+ processors) - For medium to large systems
and high throughput processors (80k + - 40k EPS
EPS) - 60TB of Disk, 128 Gb Ram
- 18TB of SSD, 128 Gb Ram - 20 cores
- 28 cores

QRadar SIEM Appliances (XX48, XX29, XX05) are intended for use as All-in-Ones, Consoles, Event Processors, Flow
Processors, and Data Nodes.

27 IBM Security
Releases: News to highlight

§ Compresión
§ Mejoras en interfaz gráfica
§ Layouts
§ AQL
§ DSM Editor
§ Usuarios
§ Multitenancy
§ Alta disponibilidad
§ LVM
§ Activation Key
 Introducing the Tenant Abstraction
The Tenant abstraction is meant to provide a higher level representation of an occupant (MSSP: Tenant = customer)

29 IBM Security
 Resources Restrictions – Search Controls

We all make mistakes. Security Analysts are no different.

“Do you think it was intentional that the intern queried 1.2TBs of data… from a host located on
the OTHER SIDE OF THE EARTH!?!? He probably didn’t realize ”that” query would take
over 72 hours and tax the entire deployment.”
We have a solution! 7.2.8 introduces
new search controls called Resource
Restrictions, allowing SOC
administrators to implement controls
around system usage based on:
• The length of time a query can run
• The amount of data that can be queried
• The time frame over which a search can be
run
These controls can be applied per role or
even as granular as per user. MSSPs
can apply these on a per tenant basis to
avoid resource contention amongst their
users.

30 IBM Security
 Domain Aware Reference Sets

In 7.2.8 we have started to extended our multi-tenancy support into our reference data
collections. In this first phase, domain associations are added to reference sets. With this
model, each reference set can contain items or lists of items that are associated with a
particular domain and not accessible by another other domain in the system.
This enables MSSPs, or any
organization that uses the Domain
capabilities of QRadar, to provide
interdependent collections of data to
each.
Now, independent threat feeds or
business context data, like identity
information, can be introduced on a per
tenant basis, without the risk of exposing
that data to other users.

31 IBM Security
 Reference Data Containers and Tenant Awareness

•In QRadar 7.2.8 we introduced the ability

for tenants in a MT environment to view
the reference data collections that have
been created for them by their MSSP.

•QRadar 7.3 takes this a step further by

expanding the Delegated Administration
capabilities to include Manage Reference
Data. When enabled, tenants can now
manage and even create their own
reference data collections, allowing them
to bring in contextually relevant data that
applies only to them (business data such
as user information or even custom threat
feeds or IOCs).

32 IBM Security
 Tenant support for custom properties

•We have also extended tenancy into our custom

property definitions with QRadar 7.3, providing
tenants the ability to extract the data necessary for
their uses cases from events or flows, independent
of other tenants or event the MSSP themselves.
•As a slight protection to the overall system,
however, tenants cannot promote their custom
properties to “optimized” (indexed) and require the
support of the MSSP Administrator if this is
necessary
•The MSSP admins may want to monitor the use of
custom properties being defined and used by their
tenants and proactively mark them optimized to
improve efficiency of searching, rules, etc.

33 IBM Security
 A few other items…

• Per-tenant Data Sharding

•Behind the scenes, 7.2.8 brings per tenant data sharding to our backend Ariel data
store. Without complicating MT configuration at all, Ariel will now automatically
segregate the data from each tenant, providing full isolation and removing any co-
mingling of client data.

34 IBM Security
 The Offering: SIEM Capabilities of QRadar Delivered as a Service

Extensive data sources

The QRadar SIEM Value Proposition:

Ø Real time & historical correlation of assets,
events, and vulnerabilities
Threat Indicators Ø Advanced threat detection
Ø Configurable SOC and management
dashboards
Security devices Ø Supports integrations of 450+ security & IT
Servers and mainframes
Network and virtual activity
solutions
Data activity Ø Rapid time to value
Application activity
Configuration information
Vulnerabilities and threats Service Highlights:
Users and identities Ø High Availability standard
Ø X-Force Threat Feed Integration
Data Gateway
Ø No Log Source limitations
Ø No Appliance based Licensing
Ø 24/7 Health Monitoring
Ø System Management: upgrades, patches
Ø Supports Temporary EPS upgrades

35 IBM Security SHARED UNDER NDA

SIOC supports collecting data from On-Prem Cloud Platforms & Applications

§ Events Generated from on

premise platforms and
applications

§ Vulnerability Scan Data

§ Log and Service data from

cloud based platforms and
applications
– Ex. AWS, Akamai, Zscaler

– Office 365 will be supported in On-prem

2016

§ Consume all Qradar Supported

log sources

36 IBM Security SHARED UNDER NDA

 Automated Threat Response

• Responses are simply scripted responses to a rule.

• Execute in a jailshell to protect QRadar from any form of exploit.

• Simple management screens allow for easy configuration and validation prior to being put
into production.

37 IBM Security
 Data Obfuscation – 3 Easy Steps…

1. Launch Data 2. Configure a data obfuscation 3. Configure each obfuscation

Obfuscation profile expression
Management

38 IBM Security
 Search Performance – Super Indices

-We are now 8-10x faster across most searches*

39 IBM Security
 Continuous improvement in search speed and functionality
Finding the threats, quickly…

• Continuous area of investment as

data volumes grow and time
pressure increases
• Multi-threading
• Enhanced index caching algorithms Cold
• New time series index optimization
• New ‘on the wire’ compression Warm
• Less bandwidth required
• New always on disk compression Searching
(7.2.7)
• Less I/O required 1 TB of data
• New lazy search for IOC and need in less than
in haystack hunting (7.2.7)
• AQL query support in UI and API 1 second
• X-Force and Reference data on
functions
• Custom functions
1 xx28
Needle in haystack search, returning 100’s of results

40 IBM Security SHARED UNDER NDA

 New Disk Compression*

•All new QRadar installations as of 7.2.7 and forward utilize our new, highly efficient
compression mechanism for all stored data.

- No more compress/decompress cycles**

• Data is always compressed on disk and all decompression occurs in memory with no rewrite to
disk.

- Up to 10X faster search

• Overall reduction in IO due to data always being compressed. This means searching on
compressed data in 7.2.7 is even faster than uncompressed data in 7.2.6!

- Better overall system performance

• Reduced disk reads and writes, lower CPU load leads to more consistent system resource
utilization with less spikes.
• Faster data rebalancing with Data nodes

- Simplifies retention planning

• User no longer need to consider compression when setting up retention. In fact, the option is no
longer even available. Users simply decide how long to keep data and when it can be deleted

* 7.2.7 New Installs only. 7.3 will support upgrades

** 5-10% reduction in compression when compared with 7.2.6

41 IBM Security
 Lazy Search

• Lazy Search is a new Quick Search capability introduced in QRadar 7.2.7 that is optimized for
more tactical use cases such as the threat hunting or IOC searching.

- Retrieves the first (up to) 1000 results matching the filter criteria and returns those immediately to the user along
with a time series graph showing the distribution of the results over the search timeframe.
- Reduces impact on the deployment by restricting the search to just the indices and not the events/flows
themselves. Reduces impact on the network by only return a subset of the results until the analyst make the
decision that the entire result is necessary.

•Example: THE CISO Fire Drill

•The CISO for a large European bank is having his morning coffee while reading Limor Kessem’s
GozNym blog post on securityintelligence.com. Startled, he drops everything and calls his SOC
manager, demanding an immediate response about the presence of GozNym on their network.

•Our SOC manager turns to his most experienced analyst and relays the MD5 for which he needs a
report…. ASAP! Realizing this is a fire drill, our analyst understands that what is being asked is “have
we seen this” so the organization can take appropriate action. Flipping to Quick Search and dropping in
the provided MD5 and within seconds the analyst has not only the (unfortunate) answer of “Yes”, but
also has a distribution over time that shows when the outbreak started.

42 IBM Security
 Processing Performance Improvements

•A number of general performance improvements across various aspects of the platform are also
included in 7.2.7

- Hardware Optimization
• QRadar auto tunes to the hardware platform and doesn’t simply match platform to our xx05 or xx28 profile.
• QRadar can now leverage hardware even larger than our own xx28 platform

- Accumulator Global Views (GVs) Increased

• QRadar can now track up to 300 global views, up from the 130 prior to 7.2.6
• Directly translates to increased anomalous and behavioral threat detection capabilities

- Pipeline Stability and Performance

• Parsing and CRE now less sensitive to stalls in the pipeline
• 10% reduction in CPU load compared to 7.2.6
• Burst handling will no longer report false positives of event rate over license

43 IBM Security
 Processing Performance Improvements

•A number of performance improvements across various parts of the platform are also
included in 7.2.8!
- Assets & Vulnerabilities
• xx28 console now supports 1M assets out of the box with possible expansion to 3M with tuning (constrain – low number
of vulnerabilities). Previously the maximum was 700K assets
• Supported asset limit does not depend on HA anymore. Prior to 7.2.8 there was a 50% reduction in the number of
assets that could be supported when deployed in HA
• Assets UI query performance is up to 35 times faster. Large dataset UI wait time went from minutes to <10 seconds.
• Manage Vulnerabilities UI query performance is ~2 times faster

- Event/Flow Processing
• Updates to make our usage of the underlying platform more efficient
• Improvements in burst handling, significantly increasing the amount of data we can flood to disk

- Storage efficiency
• ~5% less disk space per event required

- Infrastructure
• Reference data – Efficiency improvements

44 IBM Security
 “Drop” Events before license

• 7.2.6 introduces a license credit for data that is dropped using routing rules. Effectively, users
can drop some portion of data that they deems to have little or no value, with these events
having a lower usage impact on their EPS license. Data dropped in this fashion will be credited
back at 60% to a maximum of 2K EPS

• Additionally, with this enhancement we have also added in a 100% credit back for all system
events (system, audit, etc)

• The “credit” is applied on a per second interval meaning that any credit computed over a 1
second interval will be applied during the next second.
- For example, on a system licensed to 10000EPS, if 50EPS of system traffic is collected over 1 second will
result in an overall license rate of 10050EPS the next second
- But on that same system, if there is 1000EPS of traffic being dropped because of a routing rule then the overall
license rate for the next second will be 10600EPS
- However, if there is 4000EPS of traffic being dropped due to routing then the EPS credit will top off at 2000EPS
(60% of 4000 = 2400 which is > 2000) resulting in an effective rate license of 12000EPS the next second

45 IBM Security
 Per Log Source EPS Reporting

• Log Source EPS Reporting lists the average EPS for each log source on both the Log
Source screen as well as in our Log Source reports, allowing users/administrators to
quickly identify “noisy” or “expensive” log sources as well as highlight potential
configuration issues with log sources that are failing to report

46 IBM Security
 Say Goodbye to many complex steps with our new DSM Editor

Unknown events? No Problem!

Want a different user name? No
Problem!
7.2.8 introduces a new streamlined
user experience aimed at rapid data
ingestion and capabilities to modify
existing parsing as necessary.
No more XML file editing, ”wait and
see” debugging, or back-end scripts to
extend the QID map.
Our new DSM Editor removes all of
these frustrations by unifying the entire
process in a single UI
• Field Extraction
• Custom Property Definition
• Event Categorization
• New QID Definition

47 IBM Security
 AQL Enhancements

• General AQL Additions

- strpos – returns the position of string inside another string
- regex_replace – performs an inline string replacement using a regex as the search condition

• New statistical functions to broaden outlier detection

- first – returns the first instances of the specified column
- last – returns the last instances of the specified column
- stddev – returns the Sample Standard Deviation
- stddevp – returns the Population Standard Deviation

* Please refer to our advanced search deck for uses cases

48 IBM Security
 AQL Enhancements – Conditional Logic

• Two forms of conditional logic grammar have been added to AQL in 7.2.7, IF/THEN/ELSE
and CASE
- The first form, IF/THEN/ELSE, allows users to perform simple conditional evaluation based on the
condition contained within the IF.
• Example: User wants to query the user associated with all events but realizes that the events may
not contain the necessary user information so they decide to leverage the Asset database to fill in
the gaps if possible.

• select sourceip, if username is NULL then ASSETUSER(sourceip) else username as

username from events group by username last 2 DAYS

- The second form, CASE, allows users to perform similar logic to IF/THAN/ELSE except with more
conditional comparisons.
• Example: User may want to expand the response code from a set of BlueCoat Proxy Logs

• select case “BCReponseCode” when 200 then ‘OK’ when 404 then ‘Not Found’ when 401
then ‘Not Authorized’ else ‘N/A’ end from events where
LOGSOURCETYPENAME(devicetype) ilike ‘%bluecoat%’ last 2 days

•See Conditional logic in AQL queries for more information.

49 IBM Security
 AQL Enhancements – Sub Select (Nested Queries)

•7.2.8 introduces the concept of sub-select or “nested queries”. With his technique of building queries, the user to breaks up more complex concepts into pieces
and then combine these simple fragments into larger queries.

For example, an organization wants to track all internal

hosts that have communicated with hosts that Tracking internal hosts that are communicating
themselves interact with high risk entities (Possible with potential Patient 0 hosts (hosts that have
patient 0 hosts) interacted with known high risk entities)

Step 1: Locate all potential Patient 0 hosts within the Patient 0 C&C Servers
Potential
1
organizations network Infection

Initial contact with

select sourceip from events where eventdirection = ‘L2R’ and a malicious host
REFERENCESETCONTAINS('CriticalWatchList', destinationip)
group by sourceip 2 Risky
Contact

Step 2: Locate all internal hosts that have

communicated with Patient 0
select sourceip as “Risky Hosts” from events where destinationip in
( select sourceip from events where eventdirection = ‘L2R’ and
REFERENCESETCONTAINS('CriticalWatchList', destinationip)
group by sourceip) group by sourceip last 24 hours
•See Conditional logic in AQL queries for more information.

50 IBM Security
 AQL Support for Bitwise Operators

In 7.3 we have introduced a complete set of bitwise

operators that can be used to manipulate any integer type
values in AQL
New operators include:
•AND (&)
•OR (|)
•XOR (#)
•NOT (~)
•LEFT SHIFT (<<)
•RIGHT SHIFT (>>)
•ZERO-FILL RIGHT SHIFT (>>>)
The bitwise operators are useful when this low level
manipulation is necessary or desired.
For example, to search for specific device types whose last
octet in a source IP address ends in 100, such as x.y.z.100,
you can simply use the following query:
SELECT LONG(sourceip)
AS long ip, sourceip FROM events into my_cursor
WHERE (long_ip & 0x000000ff)=0x00000064
GROUP BY long_ip ORDER BY long_ip

51 IBM Security
 Inter-App Communications (Named Services)
•In 7.3, we have also expanded the
application framework to allow
applications to talk to each other.

•In essence, apps can now register a

service with QRadar (named) that can be
accessed through the RestAPI facilities
of QRadar.

•Once registered, any other application

can simply invoke these named services
to exploit the capabilities being published
by the app.

•Service are defined with the app

manifest.json and the framework
registers it to the API.

52 IBM Security
 Otras Novedades

• Historical correlation • Offenses

• Offense index - any property
• New CRE tests • Offense assigment – more info
• AQL test
• Compare 2 properties • X-Force included
• Deployment editor R.I.P. • Flexible licensing
• License pool management
• Data dependecy
• Notifications • HA enhacements
• User Deletion – Content Reassignment
• LVM
• UI enhacements
• Surfaces • Bye Bye more activation keys
• Right-Click filters
• Custom columns

• Multiples e-mail templates

• Reference Sets/Data
• Expiration notifications
• Remove reference data

53 IBM Security
Section:
Available Products to highlight
IBM #QRADAR

Carmen Ces & Emilio Andrés

IBM Security Intelligence Technical Sales
User Behavior Analytics
DETECTING INSIDER THREAT AND RISKS
 Increasing attacks, shortage of skills and growing insider threats

Too Many Tools Increasing Attack Activity

85 security tools from 64% more security incidents

from 2014-2015

45 vendors 100 ’s of incidents

and events daily

Growing Insider Risk Too Few People

43% 65% 37% annual increase

for InfoSec analysts

insider data
breaches
perpetrators take data
and go work for competitors 1M anticipated shortfall by 2020

56 IBM Security
 Design principles for IBM QRadar UBA

• Simplify the overly complex

security operations

• Deliver faster time to insights

and actions

• Streamline investigation
of offences

• Consistent visibility in users,

assets and threats

• Improve analyst productivity

57 IBM Security
 QRadar User Behavior Analytics

IDENTIFY AT RISK USERS

Account takeover, disgruntled
employees, malware actions

STREAMLINED INCIDENT
INVESTIGATIONS
Immediate insights into risky user
behaviors, action and activity history

OUT OF THE BOX

ANALYTICS
Analyses dozens of user actions using
behavioral baselines and anomaly
analytics

FAST TIME TO VALUE

Behavioral profiling Predictive analytics Deploys in minutes from the IBM App
Business context Threat Intelligence Exchange and leverages existing
QRadar data sets immediately

58 IBM Security
 SOC analysts need help sensing behavioral deviations over time

• Account accessing more high value assets than normal

• More data being transferred then a normal Large Window Small Window
to and from servers and / or external locations

• Privileged account accessing high-value

servers from a new location for the first time
5 Hours 1 Hour
• Account used for the first time in a long time 2% of time application was active 4% Activity

• Rare privilege escalation 100% increase in activity

• Accounts being used from peculiar locations

• User involved in previously malicious

Large Window Small Window
or threatening behavior

• User an outlier within their peer group

• Clustering group changes

New activity

59 IBM Security
 User Behavior Analysis (UBA)
Frequency of
UBA Scenarios privilege
revocation rates
Increase in
Cloud server connection data transferred
to file sharing
User connects to a cloud server User login User is an
outlier within
or a personal account on Box time / space
their peer group
disagreements
and tries to upload a sensitive file First time
access of high-
value systems
First time
Using rarely network access
used privileges or first-time
Access high-value assets Usage of an account usage User
account accessing more
User starts accessing and downloading changes data from high-
high-value assets with increased Communicating
significantly Users value systems
over time accessing than normal Account usage
frequency with malicious
infrastructure at unusual
sources on the
from an unusual times
Entitlement internet
location
anomaly or
user role
Usage changes over time change Higher than User HR risk
normal high- score or
User activity deviates from normal value assets or flight risk
server access
over a short period of time or a gradual Excessive,
Change in
change over an extended period of time account suspicious http
privileges activity

60 IBM Security
 Compromised credentials or malware detection
Access
frequency of
an account
UBA Scenarios Usage
frequency of
an account Usage of a
Assess frequency of assets Login
canceled,
suspended or
User’s volume of activity suddenly failures blocked user
Abnormal
privilege
spikes or access to number of assets change in
account
increases rapidly usage /
Access VPN
Using rarely account from behavior
used unusual
privileges location or
times Account
Excessive, usage
Usage deviates from peer group suspicious
http activity
deviating from
Users peer groups
Internet
User pattern of activity starts communication
Accessing Account
infrastructure usage at
deviating from the peer group with malicious from unusual unusual times
Dormant sources
account location
accessing
important Logins
assets Higher than from multiple
normal high- devices,
Change in account privileges value assets or multiple
server access places
Accessing
User attempts to change privileges on Change in
from a jump
account
existing account or open new accounts privileges or a Tor
server
on other systems Detect
unmanaged
accounts

61 IBM Security
 Monitor intellectual property
Application
UBA Scenarios misuse by
invalid
sequence of Application
Application misuse by actions Anomaly in misuse –
activity in an HTTP
sequence of actions application request
Anomaly in
User performs a sequence of actions accessing
which no other user is performing Dormant Abnormal applications
account asset
accessing access from
important a specific
assets Application device Application
Sensitive data leakage misuse – misuse –
session sequence
User manipulates http request / replaced Remote mining Device is
access hole used in a
response parameter to download in corporate recent
sensitive data firewall offense

Application
misuse – Exfiltration
Application misuse by response of data
parameters
malware or bots Large data Monitor high
movements value assets
A bot or malware attacks an application
or access sensitive data Device type
change

62 IBM Security
 Increase Analysts’ productivity Interface to
quickly add
new data,
log sources
UBA Scenarios Add users to
various
watch lists
Multiple
Dynamic adjustment of risk watch lists
Ability to
Customize
scores by specific dashboard
criteria Add notes
Dynamically adjust the risk score of and alerts by
rules when triggered against particular Activate user or
groups
user or users Peer group rules for a
profiles and specified
trends period or
Integrate UI to quickly
Activate rules for a specific UBA panels condition create rules
in QRadar for custom
condition or time dashboard
Adjust user
use cases
Modify risk
score rating of
Activate a rules for a set of users until a manually or user based
override on specific
specified condition or specified time system condition
window
What-if
Dynamic simulation of
adjustment policy
Integrate UBA panels into to risk score changes or
Auto of users
QRadar dashboard discovery Guidance to actions
and optimize,
Monitor desired elements of users’ Auto classification reduce risks
behaviors, risks and trends from a discovery of Assets
single screen and
classification
of Users

63 IBM Security
 IBM QRadar UBA 2.0
§ Machine Learning algorithms § Flow based use cases that leverage QNI

64 IBM Security
 IBM QRadar UBA: Detecting anomalous deviations

§ Monitor users on deviation from normal

behavior:
• 14 different event categories of QRadar
• temporal analysis
• time series analysis

§ Predict range in which the users’ activities

should fall

§ Example anomalous activities detected by

these algorithms are:
• Abnormal change in user activity (over time)
• Abnormal change in user’s authentication or
access activity
• Deviation from normal risk posture of the user

65 IBM Security
 IBM QRadar UBA: Machine Learning algorithms

“Deviations
from normal
behavior”

66 IBM Security
 Integrated view helps you see before you can stop insider threats

App Exchange X-Force Exchange

BigFix Network Protection XGS

QRadar Incident Forensics

SECURITY OPERATIONS
AND RESPONSE

QRadar SIEM I2 Enterprise Insight Analysis

Trusteer Pinpoint
QRadar Vulnerability / Risk Manager Resilient Incident Response
MaaS360 Trusteer Mobile

QRadar User Behavior Analytics Trusteer Rapport

INFORMATION RISK
AND PROTECTION
Guardium Identity Governance and Access
Key Manager Privileged Identity Manager
AppScan Cloud Identity Service
zSecure
Cloud Security

SECURITY TRANSFORMATION SERVICES

Management consulting | Systems integration | Managed security

67 IBM Security
 Example - Extending UBA with Flow data

• Detect flow based anomalies

• Accessing non-business resources
• Accessing unauthorized resources
• Potential spam/phishing attempts
• Detecting malware infection
• Accessing sensitive personal information
• Out of policy web usage
• Detect DNS anomalies
• DGA
• Fastflux
• Tunneling and exfiltration
• End-point infection analytics

68 IBM Security
 Example - Extending QVM/QRM with UBA data

• Prioritize Vulnerabilities based on user

risk
• Scanning Assets of users above risk
thresholds

• Degrees of separation to critical assets or

information for risk management

• Add, modify rules on IPS side to block at

user level if user is phished

• Augment asset risk based on user risk

• Monitor possible attack vectors for Risky
users

69 IBM Security
 Integrated workflow to act on insider threats User behavior analysis
QRadar Analytics Platform
Resilient Incident Response Platform

EXTENSIVE DATA SOURCES

Security devices

Servers and mainframes

Network and virtual activity

Data activity

Application activity
Sense AnalyticsTM
Configuration information

Vulnerabilities and threats

Users and identities

Global threat intelligence Security incidence triage Security Incident

and remediation Knowledge base
Continuous security analytics

Improved security process Incident Report

and threat detection and Notify

70 IBM Security
 Advantages of an integrated UBA app

• Complete visibility across on-premise

and cloud infrastructure

• Avoids reloading and curating data

expediting time to insights

• Leverages log and real-time flow data

into the analytics

• Efficient resolution of offenses

with integration of workflow system

• Out-of-the-box analytic models

that leverage and extend the security
operations platform

• Easily extend to third-party analytic models

• Leverage UBA insights in other Apps

71 IBM Security
 SOC analysts gain speed from user behavior analytics
…in the hunt to reduce risks and eliminate threats

§ Detect threats across users and assets leveraging advanced

analytics with behavioral patterns
Easily find § Tap into broad set of internal data sources and threat intelligence
malicious behavior

§ Visibility into the risk posture within hours not days

Easily acquire, § Download app and install quickly
deploy and use

§ Identify risky users, behavior and offences in minutes not hours

Improve § Reduce overhead on skills and time
analyst efficiency

72 IBM Security
 UBA 2.0 with Machine Learning - https://www.youtube.com/watch?v=RgF1RztR1yg
(Old) UBA 1.1 - https://www.youtube.com/watch?v=1udzWWvBhMI&list=PLHh9jhztlMyokc0Snr9orpkNt4RTwd60T

73 IBM Security
 User Behaviour Analytics 2.0 with Machine Learning

74 IBM Security
QRadar Network Insight

The New QRadar Network Insights 1901 Appliance

http://w3.tap.ibm.com/medialibrary/media_view?id=404767
 Taking flow analysis to the next level

QRadar Incident Forensics and Network Packet Capture will capture,

reconstruct and replay the entire conversation
Incident Response

Incident Detection

QRadar Network Insights will also let you know if suspect items or
topics of interest were discussed at anytime during the conversation

QFlow provides all the benefits of network flows but will also recognize layer 7
applications and allows you to capture the beginning of the conversation

“A network flow is, in essence, a record of a given conversation between two

hosts on a network… this information is much like a phone bill: you can't tell what
was said during the conversation, but you can use it to prove who talked to who” –
SANS Institute

76 IBM Security
 Flow options
Network flow from QFlow Collector XGS appliance QRadar Network
routers/ software Insights appliance
switches
Includes basic network traffic info Yes Yes Yes Yes

Includes application info No Yes Yes Yes

Includes user info No No Yes Yes

Includes deep content visibility No No No Yes

Includes attack/exploit identification No No Yes No

Can inspect SSL traffic No No Inbound and Inbound and

outbound outbound
(with keys)
Can block traffic No No Yes No

Deployment modes TAP / SPAN port TAP / SPAN port TAP / SPAN port TAP / SPAN port
or in-line
Speed Varies Depends on 400 Mbps – 3.5 Gbps–10 Gbps
underlying hardware 25 Gbps per appliance;
used stackable

IBM AND BP INTERNAL USE ONLY

77 IBM Security
 Providing complete coverage and threat detection
Root Cause
Analysis

QRadar

Incident Detection QRadar QRadar Incident

& Qualification Processors Forensics

QRadar
QRadar Network
Network Packet
Insights Capture

Network Tap

Endpoint Network Cloud

78 IBM Security
 Metadata extraction and threat hunting with
QRadar Network Insights

79 IBM Security
 Bringing visibility to today’s cyber security challenges

• Real-time analysis of network traffic

• Session reconstruction and application analysis

• Extraction of key metadata and content

• Full payload and application content analysis

• Intrinsic Suspect Content detection

80 IBM Security
 QRadar QNI – Leaving nowhere to hide
ADVANCED
ENRICHED Answering the important questions
BASIC
• Who is talking to who ?
• What files and data are being
exchanged ?
• Do they look malicious ?
• Do they contain any important or
sensitive data ?
• Is this malicious application use ?
• Is this new threat on my network ?
• If so, it where is it and what did it
do ?

81 IBM Security
 High Value Threat Detection and Compliance Use Cases

Observe and analyze artifacts – Trace anomalous

Lateral Movement Attack
Malware Detection & Analysis names, properties, movement, Detection communications - recon, data
suspect content transfers, rogue/malicious actors

Pre-empt and react to malicious Identify and track files – DNS

Phishing Email & Campaign
Detection emails by analyzing sources, Data Exfiltration Prevention anomalies, sensitive content,
targets, subject, and content aberrant connections, aliases

Recognize high-risk users – Continuous monitoring of

Insider Threats targets for phishing, negative Identify Compliance Gaps enterprise, industry and
sentiment, suspicious behaviors regulatory policy compliance

82 IBM Security
 Threat Hunting by leveraging STIX-TAXII

83 IBM Security
 Feed QRadar User Behaviour Analytics with network data

• Detect flow based anomalies

• Accessing non-business resources
• Accessing unauthorized resources
• Potential spam/phishing attempts
• Detecting malware infection
• Accessing sensitive personal
information
• Out of policy web usage
• Detect DNS anomalies
• DGA
• Fastflux
• Tunneling and exfiltration
• End-point infection analytics

84 IBM Security
 Phishing and Spam

ADVANCED

Phishing works ENRICHED

“95 percent of all attacks on enterprise networks Invalid

certificate
Anomalous
DNS
BASIC

are the result of successful spear phishing.” detection lookups

- SANS Institute
Hunting
Embedded
E-mail for others Email field
scripts in
subject lines who received analysis
attachments
Detect phishing e-mails before the e-mail

users have a chance to open

them
Detect and extract suspicious e-mail subject
lines, content and attachments helping QRadar
detect attacks before users access their inbox.

Someone fell for it… again

Quickly determine who was phished, how they
responded, and who is compromised.

85
85 IBM Security
86 IBM Security
87 IBM Security
 Malware detection

ADVANCED
Malware is pervasive ENRICHED

“Every four seconds, a new strand of malware is Hunting

for where
Talking with
malicious
File type BASIC
mismatch
born.” it went sources

- lookingglasscyber.com
File hash
DNS Embedded Suspect
threat
system script content
intelligence
abuse detection detection
No file goes unnoticed correlation

QRadar Network Insights knows the details of

Pluggable
every file; from the file name, type, embedded malware
signatures
scripts and file hash to where it came from and
where it was sent.
With QRadar and Threat Intelligence from
X-Force Exchange, it becomes clear when
malware have evaded detection.

88 IBM Security
89 IBM Security
 Data exfiltration

ADVANCED

Secrets being exposed ENRICHED

“50% of organizations believe they have regular Where did

Abnormal
DNS
Detect PI BASIC
the file go data in flight
confidential data leakage” payload

- Enterprise Management Associates

Detect
What user watermarks
Excessive Detect credit
IDs were and
file transfers card data
used confidential
My proprietary data was branding

posted where?!? Capture

Hunting for Other
what else suspect
file
Uncover sensitive data leaving the network via properties was
exfiltrated
content

e-mail, chat messages, files or social media in

real time. Knowledge of these transfers helps
QRadar differentiate authorized vs.
unauthorized actions speeding incident
response.

90 IBM Security
91 IBM Security
92 IBM Security
 Find Insider Threats

ADVANCED
Exposure to Insider Risk ENRICHED
“55% of all attacks were carried out by Who is Anomalous E-mail BASIC
talking to DNS subject
malicious insiders or inadvertent inside whom queries lines
actors.”
- IBM 2015 Cyber Security Intelligence Index Interaction Abormal
Internet
with crown jewel PI data
bound
malicious comms amd detection
data
sources transfer
“Insider risk can be more than a threat to IT
systems or data loss – it can result in physical
harm or sabotage.” Email Web Site
content content
- Carnegie Mellon SEI

Enhances QRadar/UBA for unique

insider threat detection
Identify unapproved web browsing or searches,
Recognize access of risky or suspicious
domains, trace activities following anomalous
behaviors, resolve aliases and privileged
identities triggered by suspicious content,
seamlessly feeding QRadar UBA

93 IBM Security
94 IBM Security
 Zero-day threat detection

ADVANCED
Rate of new Zero-Day ENRICHED
threats are increasing HTTP BASIC
IP
“Zero-Day Discoveries A Once-A-Week headers Reputation

Habit”
- Dark Reading
New Application DNS Beaconing
Connections

Detect what others miss

Traditional means of detection and Baseline Flow
prevention may be blind to new zero-day normal
behavior
Duration
attacks, but QRadar Network Insights can
help identify the symptoms to enable
timely detection and remediation.

95 IBM Security
96 IBM Security
 1920 & 1901 Performance summary and deployment guidance
QNI provides deeper analysis of network data to extend QRadar’s detection capabilities

Appliance form factor architected to maximize performance and minimize costs for QRadar Network Insights
deployments
• Hardware configuration optimized to reduce costs and facilitate in-memory processing
• 10G connectivity with 4 ports available
• Configurable flow forwarding capability enables load-balancing across multiple appliances (1920)

SETTING 1920 PERFORMANCE 1901 PERFORMANCE

BASIC 10 Gbps 4 Gbps

ENRICHED ~10 Gbps a ~4 Gbps a

ADVANCED ~ 3.5 Gbps b ~ 1.75 Gbps
a Performance will vary depending on QRadar Network Insights setting, search / extraction criteria and network
data
b 10Gbps performance achievable with multiple appliances

IBM AND BP INTERNAL USE ONLY

97 IBM Security
 Capability summary
• Unparalleled real time visibility covering blind
spots and complexities in log data and
revealing previously hidden threats, and
malicious behaviors
• Enables far greater and easier attack visibility
from malware infiltration, lateral movement and
data exfiltration within an organization
• Tightly integrated with QRadar Incident
Forensics for post incident investigations and
threat hunting activities
98 IBM Security
• Seamless integration across the QRadar
platform:
̶ Extends QRadar flow capabilities
̶ QNI analysis fuels QRadar capabilities,
content and Apps
̶ Derives sense events for User Behavior
Analytics for improved insider risk
assessments
• Scalable to meet any analytics demands
Resilient
 IR challenges: what we hear most often

• Skills shortage

• Too many alerts, not enough

time or resources

• Unrefined IR processes and

communication

• Confusing regulatory
landscape

100 IBM Security

 Resilient is changing the game

PRODUCTS

PREVENTION DETECTION RESPONSE

SERVICES

101 IBM Security

 Resilient Incident Response Platform

102 IBM Security

 Resilient Incident Response Platform

103 IBM Security

104 IBM Security
105 IBM Security
106 IBM Security
107 IBM Security
 Resilient Incident Response Platform

108 IBM Security

 Resilient use case: Fusion center
IT Help Desk
Inputs/Escalation

App MANUALLY
Forensics
Logs INVOKED
REMEDIATION
F/W
Logs Identity Management
:
: RESILIENT’S INCIDENT
DHCP
Logs RESPONSE PLATFORM

ACTION MODULE Threat Data

Endpoint Security

Malware Vulnerability
MANUALLY Management
INVOKED AUTOMATIC
ENRICHMENT ENRICHMENT
Web Gateway
Passive DNS

Demo
109 IBM Security
QRadar Advisor with Watson
BRINGING THE POWER OF COGNITIVE SECURITY TO THE SECURITY ANALYST
 There is a massive amount of noise out
there; the human brain can’t process
everything on a day-to-day basis. We need
something to help, something like AI or
cognitive technologies.
Chad Holmes – Principal and Cyber-Strategy, Technology and Growth
Leader (CTO) at Ernst & Young LLP

111 IBM Security

 Is this really sustainable?

Quick Insights: Current Security Status

Threats Alerts Available analysts Needed knowledge Available time

93 % SOC managers are not able

to triage all potential threats 42 % of security professionals ignore
a ‘significant number of alerts’

31 % of organizations are forced

50
to ignore % or more security alerts because
they can’t keep up with volume

112 IBM Security

 A tremendous amount of security knowledge is created for human
consumption, but most of it is untapped

Traditional • Security events and alerts • User and network activity

Security Data • Logs and configuration data • Threat and vulnerability feeds

Human Generated A universe of security knowledge

Knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*

Examples include:
• Research documents • Conference presentations • News sources
• Industry publications • Analyst reports • Newsletters
• Forensic information • Webpages • Tweets
• Threat intelligence • Wikis
commentary • Blogs

113 IBM Security

 Todays reality - Do all of this in under 20 minutes, all day, every day

Review your security Decide which incident

incidents in a SIEM to focus on next

Review the data
(events / flows that
made up that
incident)
Expand your search to capture
more data around that incident
Get the name of Take these newly found
IOCs from the internet
the Malware
and search from them
back in a SIEM
Pivot the data multiple ways
to find outliers (such
as
Find other internal IPs are
unusual domains, potentially infected with the
same Malware.
IPs, file access)

Start another Review the payload outlying events for

Search X-Force Exchange + Search Engine +
Virus Total + your favorite tools for these investigation anything interesting (domains,
outliers / indicators. Find new Malware is at around each of MD5s, etc)
play
these IPs.

Search more websites for information about indicators

of compromise (IOCs) for that Malware
Take these newly found IOCs from the internet

114 IBM Security

 Enfréntese a la Era Cognitiva con Watson for Cyber Security - https://www.youtube.com/watch?v=21pkAfLyzfo

115 IBM Security

 Step up to the Cognitive Era with Watson for Cyber Security

116 IBM Security

 Watson for Cybersecurity

117 IBM Security

 Continuous and automated power of Watson for Cyber Security

Statistical Information and Relation Extraction

Ingests
external (SIRE) Model for Security
publicly
available
Teaches Watson the language of security through
Accepts
security natural language processing of security content
content Performs
feedback to
natural
improve its
knowledge
language
processing
Watson Discovery Service
analysis Builds and maintains a security knowledge base
from unstructured curated content
Watson
Presents
for Cyber Learns and X-Force Threat Intelligence
Security
evidence in
the form of
assimilates
security
Aggregated source of structured threat intelligence feeds
related concepts and
indicators relationships
Security Knowledge Graph
Given a set of
Stores and visually represents the security knowledge base
Gains new
indicators can
knowledge
explore its
knowledge
through Knowledge Exploration Algorithms
machine
base to deliver
learning Explores and analyzes the security knowledge graph
insights

118 IBM Security

 What is fed into Watson for Cyber Security
5 Minutes 1 Hour 1 Week
Structured Crawl of Critical Massive Crawl of all Security
Security Data Unstructured Security Data Related Data on Web
5-10 updates / hour! 100K updates / week!
X-Force Exchange Blogs Breach replies
Trusted Partner Data Websites Attack write-ups
Billions of Open source News, … Best practices Millions of
Data Elements Paid data - New actors - Course of action Documents
- Indicators - Campaigns - Actors
- Vulnerabilities - Malware outbreaks - Trends
- Malware names, … - Indicators, … - Indicators, …

Filtering + Machine Learning 3:1 Reduction

Removes Unnecessary Information

Machine Learning /
Natural Language Processing
Extracts and Annotates Collected Data

Billions of Nodes / Edges Massive Security Knowledge Graph

119 IBM Security

 Teaching Watson the Language of Security - https://www.youtube.com/watch?v=kao05ArIiok

120 IBM Security

 Teaching Watson the Language of Security

121 IBM Security

 QRadar Advisor with Watson

122 IBM Security

 Cognitive Security Starts Here
IBM Security Introduces a Revolutionary Shift in Security Operations

NEW! IBM QRadar Advisor with Watson

• Employs powerful cognitive capabilities to

investigate and qualify security incidents and
anomalies on behalf of security analysts

• Powered by Watson for Cyber Security to tap into

vast amounts of security knowledge and deliver
insights relevant to specific security incidents

• Transforms SOC operations by addressing current

challenges that include skills shortages, alert
overloads, incident response delays, currency of
security information and process risks

• Designed to be easily consumable: delivered via

IBM Security App Exchange and deployed in
minutes

123 IBM Security

 Cognitive Tasks of a Security Analyst in Investigating an Incident

Gain local context leading Gather the threat research, Apply the intelligence and
to the incident develop expertise investigate the incident

• Review the incident data
• Review the outlying events for anything
interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers
(e.g., unusual domains, IPs, file access)
• Expand your search to capture more data
around that incident
• Search for these outliers / indicators
using X-Force Exchange + Google +
Virus Total + your favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of compromise)
from additional web searches
• Investigate gathered IOC locally
• Find other internal IPs are potentially
infected with the same Malware
• Qualify the incident based on insights
gathered from threat research
• Start another investigation around each
of these IPs

Time
consuming
There’s got to be
threat
analysis
an easier way!

124 IBM Security

 Unlocking a new partnership between security analysts and their technology
QRadar Advisor complementing the investigative resources of a SOC

Security Analysts Watson for Cyber Security

• Manage alerts • Security knowledge
• Research security events and anomalies
Watson • Threat identification
for Cyber
• Evaluate user activity and vulnerabilities • Reveal additional indicators
SECURITY Security
• Configuration ANALYSTS • Surface or derive relationships
• Other • Evidence

QRadar Watson Advisor

Security Analytics • Local data mining
QRadar
• Data correlation Advisor with • Perform threat research using Watson for Cyber Security
• Pattern identification SECURITY Watson • Qualify and relate threat research to security incidents
• Thresholds ANALYTICS • Present findings
• Policies
• Anomaly detection
• Prioritization

125 IBM Security

 QRadar Advisor in Action

6. Applies the intelligence

gathered to investigate
and qualify the incident 4. Performs threat
5. Research results
research and
Device develops expertise
activities
Knowledge
graph

1. Offenses
Equivalency
relationships

QRadar
Offense
Correlated enterprise data context
2. Gains local context 3. Observables
and forms threat
research strategy

126 IBM Security

 Control, Privacy and Security of Transferring Observables
Control
• QRadar Watson Advisor
references the Network
Hierarchy defined in QRadar
• QRadar Administrator can
control which types of
observables are sent in the
QRadar Watson Advisor
administration page
• QRadar Administrator can
select which custom
properties are mapped to
observable types
127 IBM Security
Privacy Security
• Only external URLs, • Observables are sent via an
domains, IPs, ports and asn encrypted channel to
values are sent to Watson Watson for Cyber Security
for Cyber Security
• Watson for Cyber Security
• After an investigation, all isolates each customer’s
observables sent to Watson offense investigation
for Cyber Security are
destroyed, and the results of • Watson for Cyber Security
the investigation are also not can only be accessed by
persisted in the cloud authorized QRadar Watson
Advisor apps
• Watson for Cyber Security
does not track the IPs or the
specific instance of QRadar
Watson Advisor submitting
the investigation requests to
preserve anonymity
 Observables: Data used by QRadar Advisor
Observables: the finite set of discrete elements that are collected from an offense and related events that are
used by QRadar Watson Advisor for local analysis and external research. Only a subset are sent to Watson for
Cyber Security as observations of a potential threat
Observable Description Sent to Observable Description Sent to
Type W4CS Type W4CS
Source IP External Source IPs that appear in an Yes Source Port Source Ports belonging to Source IPs No
offense – enforced by respecting the
Network Hierarchy defined in QRadar Destination Autonomous System Number of a No
ASN destination IP address (from a DNS)
Destination External Destination IPs that appear in an Yes
IP offense – enforced by respecting the Source ASN Autonomous System Number of a source IP No
Network Hierarchy defined in QRadar address (from a DNS)

File Hash Hash value of a file that is deemed Yes Destination Name of the destination country of outbound No
suspicious Country communications

URL External URLs that appear in an offense Yes Source Name of source country of inbound No
Country communications
Domain External Domains that appear in an Yes
offense Low Level Low level QRadar offense category No
Category
Destination Destination Ports belonging to Destination No
Port IPs High Level High level QRadar offense category No
Category
User Agent The user agent identified by a browser or No
HTTP application Direction Direction of communication No

AV Malware signatures identified by antivirus No User name Aliases that may attempt to access critical No
Signature solutions internal infrastructure

Email Email addresses associated with No

Address suspicious emails
File Name Names of suspicious files No
128 IBM Security
 Watson automates tedious tasks, and simplifies complex procedures and
presents its conclusions

129 IBM Security

 …and then shows how it did it!

130 IBM Security

 IBM QRadar Advisor with Watson demo - https://www.youtube.com/watch?v=3rAYpBIAO68

131 IBM Security

 IBM QRadar Advisor with Watson demo

132 IBM Security

 Accelerating the end-to-end response process

Alert/ Root Cause Network Block Users /

QRadar Watson Resilient Actions
Anomaly and Features Protection IPs / Domains

Patch
Actions BigFix
• Threat Actor Vulnerabilities
• Campaigns
• Domains
• IPs QRadar Cyber
Actions i2
• Hash Investigations
• Emails
• Filenames
• Vulnerabilities
Alter User
Actions IAM
Entitlements

Actions …. …

133 IBM Security

 QRadar Advisor with Watson for Cyber Security
Bringing the Power of Cognitive Security to the Security Analyst

• Accelerates alert triage with more automation

and analysis depth
• Reduces risk of missing threats
• Optimizes incident response processes with
comprehensive threat information and data
• Increases analysts knowledge, awareness and skills in
the threat domain and environment

134 IBM Security IBM CONFIDENTIAL

 Additional demo material:

Youtube (Jose Bravo) - My take on QRadar Advisor by Watson:

https://www.youtube.com/watch?v=VGEz1mKqtaQ&feature=youtu.be

(Partnerworld) QRadar Advisor with Watson Landing Page:

https://www.ibm.com/partnerworld/wps/servlet/mem/ContentHandler/J178152X23012N90

135 IBM Security

Section:
Applications
IBM #QRADAR

Carmen Ces & Emilio Andrés

IBM Security Intelligence Technical Sales

IBM internal and Business Partner use only

Availables
 Incident Overview Application

138 IBM Security

 QRadar Operations Application

Use the QRadar Operations app to quickly

view user activities and assess their impact
on the overall system. The Operations app
collects information from all relevant sources
within the system and provides a single view
of user configuration changes to help
administrators easily troubleshoot and
investigate the cause of certain behaviors in
the system.

https://exchange.xforce.ibmcloud.com/hub/exten
sion/d35eae95160f59d79ca71683e2c72448

139 IBM Security

 QRadar Assistant Application

The QRadar Assistant app gives you a ready-to-

use dashboard that provides you with the
following dashboard widget options:
Recommended Content
The dashboard widget displays recommended
apps and content extensions that are based on
your configured preferences. You can install
apps and content extensions directly from the
dashboard.
QRadar Help Center
Use the QRadar Help Center dashboard widget
to access helpful information about QRadar, view
QRadar video tutorials, read QRadar
documentation, read monthly newsletters, view
QRadar Open Mics, participate in QRadar
forums, and access useful links, all of which you
can do from the dashboard widget.
Content with Updates Available
The dashboard displays updates when an app or
content extension that you’ve installed is updated
on the App Exchange. You can then install the
update from within the widget.

140 IBM Security

 Cloud Analytics App
IBM Cloud App Analytics for QRadar

IBM QRadar App Analytics app helps

detect web application usage within an
organization. The app provides a view
into what applications are used on your
networks and their X-Force Threat
Intelligence risk scores.
ADDRESSING SHADOW IT
MONITORING AND THREAT
INTELLIGENCE
- What cloud apps are being accessed?
- Top clouds accessed
- App categories
- Usage by employee
- What are the risks ?
- Are there business needs driving shadow IT ?
- Are there business inefficiencies ?

141 IBM Security

 QRadar Pulse (Q2 2017)

• New exciting visualization

layer for QRadar
• Work across multiple data
sources
− QRadar, Splunk, ELK,
Hadoop
• Delivered as a free-of-
charge app from the IBM
App Exchange
• Supports SOC and user
desktop visualizations
and use cases
• Extendable via the
QRadar Application
Framework

142 IBM Security

 New Threat Detection Analytics – Enabled by Spark (Q2 2017)

We build statistical models of behavior for each By monitoring user activity we can identify abstract roles a user have. Each color above
user, and identify times of unusually high represents a different role. Deviation from these abstract roles appear as dips or hills users Role
activity generally or in specific categories of Distribution, allowing analysts to easily identify aberrant behavior that might not necessarily
events. correspond with an increase in activity.

This analytic models the instant user activity starts, with the
expectation that normal user activity will be relatively uniform
across the seconds in a minute and the minutes in an hour.
Unusual activity will manifest as repeated activity at regular
intervals, indicated as hotspots (darker areas) above.
A users peer group can be identified using abstract roles or a defined set of
roles. We can then leverage the user activity to identify changes in a peer
group. This is identified in the dark bands above. Dark red indicates a
preponderance of new peers, dark black missing peers.

143 IBM Security

Section:
Technical Resources for BPs
IBM #QRADAR

Carmen Ces & Emilio Andrés

IBM Security Intelligence Technical Sales
 Resources for BP
Portal PartnerWorld:
http://www.ibm.com/partnerworld

Documentación:
https://www.ibm.com/support/knowledgecenter/

Soporte:
Support Escalation Process - https://www-947.ibm.com/support/servicerequest/Home.action
RFE - http://www-01.ibm.com/support/docview.wss?uid=swg21641764
FixCentral - https://www.ibm.com/support/fixcentral

Enablement:
YouTube Channel:
https://www.youtube.com/user/IBMSecuritySupport?nohtml5=False
Jose Bravo - https://www.youtube.com/user/jbravovideos/videos?nohtml5=False
Mike Winkler - https://www.youtube.com/channel/UCHuSAo7fqTIvDziOqac6XYg

Twitter - https://twitter.com/AskIBMSecurity

SecurityIntelligence.com - http://securityintelligence.com/

145 IBM Security

 Resources for BP
QRadar Certification:
Technical Test Exam : http://www.ibm.com/certify/tests/updatesrev_se.shtml
Sales Test Exam: http://www.ibm.com/certify/mastery_tests/ovrM2150-808.shtml
Certification path info: http://www-03.ibm.com/certify/tests/test_index_bd_sw.shtml#IBM%20Security%20Systems

Enablement:
Self Paced QRadar Virtual Enablement sessions:
Security Intelligence QRadar Understanding and Using Rules - http://ibm.biz/Bdrk7K
Understanding and using QRadar Vulnerability Manager - http://ibm.biz/Bdrk7m

QRadar Training Classes Free & Self paced:

https://www.ibm.com/services/learning

QRadar Training Paid Classes:

http://www-03.ibm.com/certify/partner/pub/zz/mem_skillsreq.shtml

Soporte:
dwAnswer: https://ibm.biz/qradarforums
https://developer.ibm.com/answers/questions/ask/?topics=qradar
QRadar Support KnowledgeBase - http://ibm.biz/qradarknowledge
Technotes relevant to QRadar - http://www-01.ibm.com/support/docview.wss?uid=swg21984857

Demo:
https://www-01.ibm.com/marketing/iwm/iwm/web/reg/directDownload.do?source=partnerworld&FILE=pw/misc/qradar_demo_setup_script.tar
146 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

SEP03413-USEN-01
 SIGUIENTES PASO!!!

¿En qué quereis

profundizar?

148 IBM Security