IBM Qradar-Advisor
3 likes882 views
This document discusses the evolution of security from perimeter controls pre-2005 to cognitive, cloud, and collaborative security approaches from 2015 onward. It introduces IBM's QRadar security intelligence solution and how IBM's Watson for Cyber Security can be used with QRadar Advisor to accelerate security investigations. Watson uses cognitive capabilities like machine learning to identify threats and relationships between entities faster than human analysts alone. The document reviews the types of observables that may be sent to Watson to aid its analysis while maintaining privacy, security and control over the data.
IBM Qradar-Advisor
- 1. IBM Security Cognitive IBM SECURITY INTELLIGENCE & ANALYTICS Luigi Perrone IBM SWG – Security Systems Security & Audit for zSystem & enterprise Security Intelligence solution [email protected] Marzo, 2017 by
- 2. 2 IBM Security Perimeter Controls Pre 2005 Security Intelligence 2005++ Cognitive, Cloud, and Collaboration 2015+ Impiego di difese statiche che controllano o limitano il flusso dei dati, come firewalls, software antivirus, web gateways, ecc. Impiego di strumenti analitici per collezionare ed interpretare grandi quantità di flussi di dati in real-time, creando una priorità degli eventi evidenziandone il livello di rischio Interpretazione e comprensione ed elaborazione di dati di sicurezza eseguiti come una persona umana ma ad una velocità non raggiungibile da un umano Con l’evoluzione infrastrutturale cresce la complessità ed il volume di informazioni da analizzare Il percorso evolutivo della security negli ultimi anni IBM fornisce la tecnologia QRadar concepita come una soluzione che si adatta continuamente con l’evolversi delle problematiche di sicurezza
- 3. 3 IBM Security Perché la sicurezza necessita del cognitive ? • Pensiamo all’attività ordinaria del team di controllo della sicurezza: analisi, verifiche, dati, report, relazioni, falsi positivi, origine dell’attacco, anomalie, ecc. • Pensiamo alla continua evoluzione delle metodologie e delle tipologie di attacco • Pensiamo al continuo incremento del numero di eventi critici o sospetti da analizzare
- 4. 4 IBM Security Cos’è Watson for Cyber Security ? ‘‘…grazie alla sua capacità di calcolo e di apprendimento, l’intelligenza artificiale di Watson sarà in grado di distinguere più velocemente di qualsiasi esperto umano la minaccia informatica da anomalie benigne nel comportamento di reti, operatori e software… ’’ 1. Osservazione 2. Interpretazione 3. Valutazione 4. Decisione Servizio Cloud di tipo SaaS
- 5. 5 IBM Security QRadar AdvisorQRadar SIEM Come può essere utilizzato W4CS ? W4CS
- 6. 6 IBM Security QRadar Advisor • Manage alerts • Research security events and anomalies • Evaluate user activity and vulnerabilities • Configuration • Other • Data correlation • Pattern identification • Thresholds • Policies • Anomaly detection • Prioritization Security Analytics Security Analysts Watson for Cyber Security • Security knowledge • Threat identification • Reveal additional indicators • Surface or derive relationships • Evidence • Local data mining • Perform threat research using Watson for Cyber Security • Qualify and relate threat research to security incidents • Present findings QRadar Watson Advisor SECURITY ANALYSTS SECURITY ANALYTICS QRadar Watson Advisor Watson for Cyber Security Con QRadar Advisor sfrutto tutte le potenzialità di Watson for Cyber Security
- 7. 7 IBM Security Quali requisiti per utilizzare QRadar Advisor ? Any customer running version 7.2.8 or above can try QRadar Watson Advisor for 30 days. Trial is initiated through the AppExchange 1. Direct customer to https://exchange.xforce.ibmcloud.com/hub to initiate trial 2. Customer will be instructed to set up a user ID if they don’t have one already 3. Email will be sent to customer with a link, password and instructions 4. Customer will receive a follow up call within 24 hours
- 8. 8 IBM Security Dashboard Widgets which present visual/graphical representations of saved search results. Report Templates for scheduled or On demand reports which are built upon saved event or flow searches. Saved Searches Search criteria. Custom Rules Tests that are run against events and/or flow. ‘Fire’ Can trigger action(offense, new event, email notice, data collection, etc.) Custom Property Defines a property to be extracted or derived from an inbound event or flow. Regex or Calculation. Reference Data Container definition for holding reference data that can be used by searches and rules. Custom Action Custom response for a rule when ‘fired’. Application Enhancement/extension to QRadar that can provide new tabs, API methods, dashboard items, context menus, config pages, etc Log Source Extension A parsing logic definition used to synthesize a custom DSM for an event source for which there is no existing DSM. Custom QIDMap Supplement out-of-the-box QIDMap QRadar provides, in order to include QIDMap entries for events not formally supported by QRadar. Historical Correlation Combination of saved search and set of rules that allow a user to test rules by re-running a set of historical events "offline" Custom Function SQL-like function that can be used in an Advanced search to enhance or manipulate data Come effettuare l’installazione di QRadar Advisor ? • Direttamente dal Marketplace di QRadar AppExchange • AppExchange fornisce un sistema di creazione e condivisione di App
- 9. 9 IBM Security Come accedo a QRadar Advisor ? Dall’apposito Tab posso accedere alla main page di Advisor e visualizzare tutte le investigazioni eseguite da Watson
- 10. 10 IBM Security Da dove inizio per attivare Watson ? L’aiuto di Watson for Cyber Security può essere sempre innescato tramite l’analisi di una offense
- 11. 11 IBM Security Quali informazioni per l’investigazione di Watson ? Sulla parte laterale dello schermo vengono visualizzate le informazioni necessarie per l’investigazione di Watson
- 12. 12 IBM Security Gli «observables» utilizzati da Advisor Gli observables costituiscono un set di dati collezionati dalla offense relativamente agli eventi analizzati in locale da QRadar Advisor arrichiti da dati di ricerche esterni (es. feeds). Solo un subset di questi dati sono inviati a Watson for Cyber Security per l’investigazione di potenziali minacce Observable Type Description Sent to W4CS Source IP External Source IPs that appear in an offense – enforced by respecting the Network Hierarchy defined in QRadar Yes Destination IP External Destination IPs that appear in an offense – enforced by respecting the Network Hierarchy defined in QRadar Yes File Hash Hash value of a file that is deemed suspicious Yes URL External URLs that appear in an offense Yes Domain External Domains that appear in an offense Yes Destination Port Destination Ports belonging to Destination IPs No User Agent The user agent identified by a browser or HTTP application No AV Signature Malware signatures identified by antivirus solutions No Email Address Email addresses associated with suspicious emails No File Name Names of suspicious files No Observable Type Description Sent to W4CS Source Port Source Ports belonging to Source IPs No Destination ASN Autonomous System Number of a destination IP address (from a DNS) No Source ASN Autonomous System Number of a source IP address (from a DNS) No Destination Country Name of the destination country of outbound communications No Source Country Name of source country of inbound communications No Low Level Category Low level QRadar offense category No High Level Category High level QRadar offense category No Direction Direction of communication No User name Aliases that may attempt to access critical internal infrastructure No
- 13. 13 IBM Security Observables: sicurezza, controllo e privacy Gli observables costituiscono un set di dati collezionati dalla offense relativamente agli eventi analizzati in locale da QRadar Advisor arrichiti da dati di ricerche esterni (es. feeds). Solo un subset di questi dati sono inviati a Watson for Cyber Security per l’investigazione di potenziali minacce CONTROL • QRadar Advisor with Watson references the Network Hierarchy defined in QRadar • QRadar Administrator can control which types of observables are sent in the QRadar Advisor with Watson administration page • QRadar Administrator can select which custom properties are mapped to observable types • Only external URLs, domains, IPs, ports and asn values are sent to W4CS • After an investigation, all observables sent to W4CS are destroyed, and the results of the investigation are also not persisted in the cloud • W4CS does not track the IPs or the specific instance of QRadar Advisor with Watson submitting the investigation requests to preserve anonymity PRIVACY • Observables are sent via an encrypted channel to Watson for Cyber Security • Watson for Cyber Security isolates each customer’s offense investigation • Watson for Cyber Security can only be accessed by authorized QRadar Advisor with Watson apps SECURITY
- 14. 14 IBM Security Il responso di Watson for Cyber Security W4CS presenta il “knowledge graph”, una vista delle relazioni tra entità e observables. Dall’ Incident Overview page, si seleziona l’incidente per entrare nel dettaglio con “Explore Insights”. Il knowledge- graph utilizza i colori per ogni tipologia di informazione. Se si vogliono eliminare informazioni secondarie e rendere più facile l’interpretazione del grafico si può operare sul tasto “Key Insights only”
- 15. 15 IBM Security Il Cognitive riduce in maniera significativa:“threat- research” e “response-time” RemediationInvestigation and Impact AssessmentIncident Triage Manual threat analysis Remediation Investigation and Impact Assessment Incident Triage IBM W4CS assisted threat analysis Una veloce ed accurata analisi delle minacce di sicurezza risparmiando tempo e risorse Days to Weeks Minutes to Hours • Accelera l’indirizzamento dei casi di incident in maniera automatica • Allevia preoccupazioni e pressioni dovute a mancanza di skill • Incrementa la velocità di analisi del team di sicurezza
- 16. THANK YOU ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions FOLLOW US ON: © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. Domande ?