Building a Next-Generation

Security Operation Center

Based on IBM QRadar and
Security Intelligence
Concepts
Chris Meenan, IBM Security
Vincent Laurens, Sogeti

2015 IBM Corporation

Overview
Cybersecurity threat environment and main challenges

The true story behind all this

What is a Security Operations Center (SOC)

Introducing QRadar and how it can address pragmatic challenges

Real-life examples and lessons learned

1
It is insane

Source: IBM X-Force Research 2013 Trend and Risk Report

Main challenges for a SOC

Being able to provide our customers

answers they needs.
Solving, in a high-quality manner, the
challenges they have to face.

SOC Challenges Chain

Smooth integration Addressing
Lack of Skills within Diversity and scale
with Processes and compliance from Cost effectiveness
the Organization of data to correlate
Business multiple angles

All these factors MUST become part of the IT comfort zone! Not as straightforward as it
seems!

3
 What is a SOC ?

Performing Security Monitoring

Security Operation Centers are indeed
of IT systems, of industrial systems and data

Systems and services integration

Central Command Centers!
Managed services
SOCaaS (multi-tenant)
Scanning,
vulnerability
assessment

Security
Analytics SIEM
BIG
DATA

Malware defense
sandboxing -

GRC Patch Management CMDB

4
Why QRadar Helps
Security Operations can drown in systems

HiFi Separates approach has a

situation where enterprises have
dozens of individual security tools
Security teams struggle

Lack of skills
Become stove piped themselves
Overly dependant on a single tool
which has limited visibility and
accuracy
IBM QRadar Security SIEM
Providing actionable intelligence

INTELLIGENT
Correlation, analysis and
massive data reduction

AUTOMATED IBM QRadar INTEGRATED

Driving simplicity and Security Intelligence Unified architecture
accelerating time-to-value Platform delivered in a single console
Embedded intelligence offers automated offense
identification

Security devices

Suspected
Servers and mainframes Automated Incidents
Offense
Network and virtual activity
Identification
Prioritized Incidents
Unlimited data collection,
storage and analysis
Data activity
Built in data classification

Application activity Automatic asset, service and

user discovery and profiling

Configuration information Real-time correlation

and threat intelligence
Activity baselining
Vulnerabilities and threats and anomaly detection
Detects incidents Embedded
Users and identities of the box
Intelligence

Global threat intelligence

INTELLIGENT
Answering questions to help prevent and remediate
attacks
An integrated, unified architecture in a single
web-based console

Log
Management

Security
Intelligence

Network
Activity
Monitoring

Risk
Management

Vulnerability
Management

Network
Forensics
Use cases

11
Example 1

SOC for a major Financial Institution internal IT company

Migration from a log correlation engine to a QRadar-based

Security analytics plateform
Strong compliance riquirement

Monitoring & Analytics

Fully-integrated services
Reporting to Business

Dedicated reporting
Large coverage of the infrastructure
Integration of business elements
Full Process integration
Targetted KPIs

Lessons Learned

A real project approach is needed

Use QRadar suite out-of-the-box capabilities
Define compliance steps from starts and align with Business and
Risks departments
Example 2

SOC for a major Assurance company in Luxembourg

The word SIEM was totally new for them

Complete end-to-end approach based on a maturity analysis

International Compliance
Specific needs
Specific Reporting

3 Levels of reporting from the SOC: Technies, Security, Business

Cost effectiveness requirements
Assistance to create and maintain a Security Incident Management
Process
Particular threat environement
Mainframe-based core business-app

Lessons Learned

Yes! Specific threat environment exist for Assurance companies

Parallelize scenarios-construction tasks and deployment tasks
Involve compliance officer from start

13
Example 3

Client Situation :
Profile:
Lack of any SOC model and strategy roadmap Largest Bank in Canada, 3rd
There were no trained SOC Operations team or staff largest in North America, top 10
globally. The bank serves 18
No Security monitoring tool or processes for security incidents million clients and has 80,100
employees worldwide.
IBM Solution :
Global Installation of the QRadar monitoring tool
Archer Ticketing System implementation (security tickets)
Designed the SOC Organization, Process, People Model
SOC Capacity Modeling
Hired and Trained the clients SOC Staff (~12 resources)
Implemented SOC Operational Reporting and Executive Dashboards

Client Benefits:
Reduced risks & costs associated with security incidents and data breaches
Addressed compliance issues by establishing clear audit trails for incident
response
Improved security posture with enterprise-wide security intelligence
correlating events from IT & business critical systems/applications.

14
Summary

15
 Driving simplicity and accelerated time to value

Immediate
discovery
of network assets
Simplified Proactive vulnerability
deployment scans, configuration
Automated configuration comparisons, and policy
of log data sources compliance checks
and asset databases

Automated
updates
Stay current
with latest threats,
vulnerabilities,
and protocols
IBM QRadar is nearly three times
faster to implement across the
enterprise than other SIEM solutions.
2014 Ponemon Institute, LLC
Independent Research Report
Out-of-the-box
rules and reports
Immediate time
to value with built-in
intelligence
QRadars ease-of-use in set-up and maintenance
resulted in reduced time to resolve network issues
and freed-up IT staff for other projects.
Private U.S. University
with large online education community
QRadar, Managed SIEM and SOC Consulting
IBM Security can help maximize your QRadar investment with
SOC and SIEM design, optimization, management and monitoring

Detect threats others miss with IBM QRadar and Managed SIEM
SOC Optimization SIEM Optimization SIEM Management
Security operations maturity SIEM design and build Real-time threat monitoring,
assessment Use case design / log incident escalation and response
SOC strategy and planning acquisition SIEM administrative support
SOC design and build SIEM implementation SIEM infrastructure management
SOC optimization SIEM optimization Incident analysis and reporting

Augment and More quickly Gain access to Help reduce

optimize staff identify and best practice costs and
resources remediate events design expertise complexity

Want to learn more? Dont miss the following InterConnect sessions:

SIEM Workshop Discussion on Making Strategic Decisions What is Building Intelligent Next Generation
Use Case Development and Problem the most effective Security Operations Security Operations Center How do
Solving (Session #4933). Tue 11AM, model for you? (Session #4896). Wed I get there? (Session #5198). Wed
Mandalay Bay, Ballroom D 11AM, Mandalay Bay, Lagoon E 3:30PM, Mandalay Bay, Lagoon E

17
 Notices and Disclaimers
Copyright 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customers responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customers
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (cont)

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBMs products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS, Enterprise Document
Management System, Global Business Services , Global Technology Services , Information on Demand,
ILOG, Maximo, MQIntegrator, MQSeries, Netcool, OMEGAMON, OpenPower, PureAnalytics,
PureApplication, pureCluster, PureCoverage, PureData, PureExperience, PureFlex, pureQuery,
pureScale, PureSystems, QRadar, Rational, Rhapsody, SoDA, SPSS, StoredIQ, Tivoli, Trusteer,
urban{code}, Watson, WebSphere, Worklight, X-Force and System z Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank You
Your Feedback is
Important!

Access the InterConnect 2015

Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.