dispatches from the front: what does it take to deploy ibm security qradar?

© 2014 IBM Corporation

IBM Security Systems

1 © 2014 IBM Corporation

Dr. Larry PonemonResearch Principal – Ponemon Institute, LLC

Jason CorbinDirector Product Management - IBM Security Systems

Jay BretzmannSegment Manager Security Intelligence - IBM Security Systems

February 12, 2014

Dispatches from the front: What does it take to deploy IBM Security QRadar? Examining TCO and ROI across 25 Organizations



2

Two of the most common requests from prospective clients

What does it take to implementa SIEM solution?

What value do clients receivefrom SIEM investments?

1

2



3

Customer comments always alluded to the value…

“Without QRadar QFlow Collectors, it would be impossible to identify network anomalies. QRadar SIEM helps us take any network behavior and judge its relative importance to the company’s overall security posture.” RON PORRITT, Information Security Engineer for Gordon Food Service

“We evaluated several security and compliance solutions, but each required a dedicated in-house or 3rd party professional services. QRadar SIEM was the only solution we tested that immediately worked out-of-the-box.”BILL BAKER, Lead Security Analyst, S1 Corporation

“Results were instantaneous. As soon as the system was up and running, we found close to 20 bot-controlled hosts on the network,

which we were able to immediately isolate and remove.”GRAYDON HUFFMAN, Senior Systems Security Specialist, Wayne State University

“We’ve been working hard on QRadar for a year and a half and we’re collecting a billion events per day. We call this Data Fusion Management

because we’re collecting everything we can all across the world and it’s been a critical improvement in our ability to stay secure.”

TONY SPINELLI, Senior VP & CISO for Equifax



4

…but we sought a better quantification of their experiences

Determine total investment in SIEM technologies– Fully loaded labor costs for implementation

and ongoing maintenance– Total service fees for contractors,

consultants and managed service providers

Understand how long it takes to implement a SIEM

Hear what sort of investment return clients realize

24%

20%

20%

12%

8%

8%

8%

Financial servicesPublic/governmentEnergy & utilitiesHealthcareManufacturingRetailServices

Sample distribution by industry



5

Sample distribution by former SIEM installed

32%

20%16%

12%

12%

8%

HP ArcSight

McAfee Nitro

RSA Netwitness

Splunk

LogRhythm

Other

Collected from organizations with prior SIEM installations

Key requirement for participation was prior experience with competitive product

Included a cross-section of observations in multiple industries from leading suppliers

Conducted in totally blind and confidential manner using well respected firm



6

Today’s speakers and discussion format

ANALYSISDr. Larry Ponemon

Research Principal Ponemon Institute, LLC

PERSPECTIVEJason Corbin

Director Product ManagementIBM Security Systems

Ponemon Institute LLC

The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government.

The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.

Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.

The Institute has assembled more than 65+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.

The majority of active participants are privacy or information security leaders.

04/07/2023 7Ponemon Institute: Preliminary Analysis

© 2012 IBM Corporation© 2013 IBM Corporation8

The Findings

Reasons for switching to QRadar

04/07/2023 Ponemon Institute: Preliminary Analysis 9

Analysis conducted from 25 confidential interviews of QRadar users

Operating costs

Product cost

Other

Performance issues

Complexity issues

Organizational changes

Interoperability issues

Management mandate

Vendor support problems

Maintenance cost

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

8%

8%

12%

16%

20%

28%

36%

36%

40%

40%

Average time (months) to fully implement SIEM across the enterprise



QRadar Former SIEM -

2.0

4.0

6.0

8.0

10.0

12.0

14.0

16.0

5.5

15.2

Average months to implement SIEM across the enterprise

Anomalous traffic detected relative to total netflow


Comparison of QRadar experience to former SIEM provider experience

Significantly increased

Increased No change Decreased Significantly decreased

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

44%

28% 28%

0% 0%

Anomalous traffic detected relative to total netflow

Comparison of QRadar experience to former SIEM provider experience fornine attributes


Percentage of companies that said each attribute either decreased or significantly decreased after the deployment of QRadar

Frequency of denial of service attacks

Frequency of data breach incidents

Average duration of IT downtime caused by cyber attacks

The total cost of downtime and business disruption caused by cyber attacks

Non-compliance with policies, regulations and external standards

Average duration of business disruption caused by cyber attacks

Average time to contain compromises

False positive rates

Average time to detect compromises

0% 20% 40% 60% 80% 100%

28%

36%

36%

40%

44%

48%

64%

80%

80%

Significantly decreased and decreased responses combined

Does QRadar meet expectations?



Exceeds expectation Meets expectation Does not meet expectation0%

10%

20%

30%

40%

50%

60% 56%

36%

8%

Does QRadar meet your expectations?


Summary



15

Southbound APIs

Northbound APIs

Delivering multiple security capabilities through a purpose-built, extensible platform

IBM QRadar Security Intelligence Platform

Real Time Structured Security Data Unstructured Operational / Security Data

LEEF AXIS Configuration NetFlow Offense

Security Intelligence

Operating System

LogManagement

NextGenSIEM

Network Activity Monitoring

RiskManagement

Vulnerability Management Future

Reporting Engine Workflow Rules Engine Real-Time Viewer

Analytics Engine

Warehouse Archival

Normalization



16

IBM QRadar Security Intelligence PlatformProviding actionable intelligence

IBM QRadarSecurity Intelligence

Platform

AUTOMATEDDriving simplicity and

accelerating time-to-value

INTEGRATEDUnified architecture delivered in a single console

INTELLIGENTCorrelation, analysis and massive data reduction



17

What was the attack?

Who was responsible?

How many targets involved?

Was it successful?

Where do I find them?

Are any of them vulnerable?

Answering questions to help prevent and remediate attacks

How valuable are the targets to the business?

Where is all the evidence?



18

Summary

Automation of data collection, asset discovery, asset profiling and more Impact: Reduced manual effort, fast time to value, lower-cost operation

Flexibility and ease of use enabling “mere mortals” to create and edit correlation rules, reports and dashboards Impact: Maximum insight, business agility and lower cost of ownership

Real-time correlation and anomaly detection based on broadest set of contextual data Impact: More accurate threat detection, in real-time

Integrated flow analytics with Layer 7 content (application) visibility Impact: Superior situational awareness and threat identification

Scalability for largest deployments, using an embedded database and unified data architecture Impact: QRadar supports your business needs at any scale



19

Visit our:

Blog :www.securityintelligence.com

Website: http://ibm.co/QRadar

Read our IT Executive Guide to Security Intelligence White Paper:

ibm.co/11HQdfc

Learn more about IBM QRadar Security Intelligence

Download the 2013 Gartner Magic Quadrant for SIEM :http://ibm.co/GMQ

http://www.securityintelligence.com/

http://ibm.co/QRadar

http://ibm.co/11HQdfc

http://ibm.co/GMQ



20 20

Pulse Protect2014 The Security Forum at Pulse2014February 23- 26 MGM Grand – Las Vegas, Nevada

February 23- 26 MGM Grand – Las Vegas, Nevada

Pulse Protect 2014 will feature three days and 50+ sessions on the hottest security topics including security and threat intelligence, application and data security, vulnerability management, defense against web fraud and advanced malware, identity and access management, network security and emerging topics such as cloud and mobile security.

HIGHLIGHTS Threat Research

Hear from X-Force as well as IBM’s malware and application security researchers.

CISO Lunch & Networking

Hear from IBM’s CISO and other industry leaders while networking with your peers.

Introducing Trusteer

Discover Trusteer’s unique approach to addressing web fraud and malware.

Client & IBM led sessions

Featuring leading clients such as Standard Bank, WestJet & Whirlpool.

learn more at ibm.com/security/pulse


Questions & Answers



22

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

dispatches from the front: what does it take to deploy ibm security qradar?

Technology

improper access

qradar experience

25 confidential

examining

2122014ponemon

ibm products

siem

qradar