IBM Security Systems

QRadar SIEM and Zscaler Nanolog

Streaming Service

February 2014

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Security Intelligence Platform

QRadar SIEM provides full visibility and actionable
insight to protect networks and IT assets from a wide
range of advanced threats, while meeting critical
compliance mandates.
Key Capabilities:
Sophisticated correlation of events, flows, assets, topologies,
vulnerabilities and external data to identify & prioritize threats

Network flow capture and analysis for deep application insight

Workflow management to fully track threats and ensure
resolution

2012 IBM Corporation

IBM Security Systems

The Security Intelligence Life Cycle

IBM Security Intelligence

2012 IBM Corporation

IBM Security Systems

Security Intelligence: Context and Correlation Drive Deep Insight

Security Devices
Servers & Mainframes

True Offense

Event Correlation
Network & Virtual Activity

Logs
Flows

IP Reputation
Geo Location

Offense Identification

Database Activity

Activity Baselining & Anomaly

Detection

Application Activity

Configuration Info
Vulnerability & Threat

User Activity
Database Activity
Application Activity
Network Activity

Suspected Incidents

Users & Identities

Extensive Data
Sources

Credibility
Severity
Relevance

Deep
Intelligence

Exceptionally Accurate and

Actionable Insight

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Benefits

Reduce the risk and severity of security
breaches
Remediate security incidents quickly and
thoroughly
Ensure regulatory and internal policy
compliance
Reduce manual effort of security
intelligence operations

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Key Advantages

Real-time activity correlation based on wide set of
contextual data
Flow capture that delivers Layer 7 content visibility and
supports deep forensic examination
Intelligent incident analysis that reduces false positives
and manual effort

Unique combination of fast free-text search and

analysis of data that has a common taxonomy

2012 IBM Corporation

IBM Security Systems

IBM/Q1 Labs in SIEM Leadership Quadrant for Fifth Straight Year

Magic Quadrant for Security Information and Event Management, Gartner, 7 May 2013
Gartner Magic Quadrant for SIEM:
IBM/Q1 Labs SIEM is rated #1 for on Ability to Execute (the Y-axis)
and beat McAfee/Nitro, RSA, LogRhythm, and Splunk on
Completeness of Vision (the X-axis)
Ability to execute is an assessment of overall viability, product
service, customer experience, market responsiveness, product
track record, sales execution, operations, and marketing
execution.
Completeness of Vision is a rating of product strategy,
innovation, market understanding, geographic strategy, and
other factors

What Gartner is Saying about IBM/Q1 Labs:

QRadar is a good fit for midsize and large enterprises that need general SIEM capabilities and also for use
cases that require behavior analysis and NetFlow analysis. Behavioral analysis is recognized by Gartner
as essential in the detection of advanced threats.
Customer feedback indicates that the technology is relatively straightforward to deploy and maintain
across a wide range of deployment scales.
A distinguishing characteristic of the technology is the collection and processing of NetFlow data, deep
packet inspection (DPI) and behavior analysis for all supported event sources.
7

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Product Tour of Integrated Console

Single browser-based UI
Role-based access to
information & functions

Customizable dashboards
(work spaces) per user
Real-time & historical
visibility and reporting
Advanced data mining and drill down
Easy to use rules engine with out-of-the-box security intelligence

2012 IBM Corporation

IBM Security Systems

QRadar & Zscaler Nanolog Streaming Service Events coming in

2012 IBM Corporation

IBM Security Systems

QRadar & Zscaler Nanolog Streaming Service Live Streaming

10

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Product Tour - the Intelligence of Offense

Management
QRadar SIEM reduces millions of events and flow records to the top
few threats and incidents called Offenses
Through correlation with contextual data (events, flows,
vulnerabilities, threat intelligence feeds)
Rules engine creates an offense as a response to a
sequence of events, behavior,

Incident Response Teams and Security Administrators rely on

Offenses to determine what they need to remediate or investigate.

11

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Product Tour - the Intelligence of Offense

Management
There is a dashboard
widget for the Top
Offenses

Offense tab shows offenses currently open, with drill down to details
12

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Product Tour of Intelligent Offense Scoring

QRadar judges magnitude of offenses:

Credibility:
A false positive or true positive?
Severity:
Alarm level contrasted
with target vulnerability
Relevance:
Priority according to asset or
network value
Priorities can change over
time based on situational
awareness

13

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Product Tour of Offense Tab

14

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Offense triggers as a result of Zscaler events

What was
the breach?

Was it
successful?

Who was
responsible?
Where do I
find them?

How valuable
are the targets to
the business?

How many
targets
involved?

Yes

Are any of them

vulnerable?

15

2012 IBM Corporation

IBM Security Systems

Where is all
the evidence?

16

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Use Cases

QRadar SIEM excels at the most challenging use cases:

Complex threat detection

Malicious activity identification
User activity monitoring
Compliance monitoring
Fraud detection and data loss prevention

17

2012 IBM Corporation

IBM Security Systems

QRadar SIEM & Zscaler Use Cases

1. Potential botnet activity detected

QRadar running at an international financial services organization

receives 3 Zscaler NSS events indicating possible botnet command and
control traffic, which generates an offense. The magnitude of the offense
is increased to 10, when QRadar flow traffic confirms that multiple clients
have regularly connected to the same set of external IP addresses over
a period of 2 days.
2. Phishing threat detected
Zscaler NSS sends 3 events to QRadar warning that a website
containing potential phishing content has been contacted by 3
executives. QRadar generates a high magnitude offense when these
events are correlated with XForce data that identifies that site as a
phishing site. The SOC analyst changes the corporate Zscaler policy to
block that phishing site in the future

18

2012 IBM Corporation

IBM Security Systems

QRadar SIEM & Zscaler Use Cases

3. Social network site allowed for privileged mobile users

The severity of an event cautioning the use of a social network
site is lowered when QRadar compares the user who generated
the event with a reference set of mobile users who are permitted
to use the site. A false positive is avoided.

19

2012 IBM Corporation

IBM Security Systems

QRadar SIEM: Intelligent, Integrated and Automated

1. Intelligence delivered through Offense Management and

identification of critical anomalies
2. Integrated with 100s of data sources, such as Zscaler
Nanolog Streaming Service
3. Automated via 1000s of rules and reports out of the box,
delivering rapid time to value and operational efficiency

QRadar SIEM delivers full visibility

and actionable insight for
Total Security Intelligence.

20

2012 IBM Corporation