security incident and event management...
TRANSCRIPT
SECURITY INCIDENT AND
EVENT MANAGEMENT (SIEM)
MANAGED AND HOSTED
SOLUTIONS FOR IBM QRADAR
MEET THE
EXPERTS
PATRICK ZELTEN
Vice President
Managed Services
Forsythe
CHRIS COLLARD
Offering Manager
QRadar SaaS, Cloud & MSS
IBM
TODAY’S SECURITY CHALLENGES
WE’VE ALL SEEN WHO’S
BEEN IN THE HEADLINES…
Online Properties Automotive Retail
Fast Food Healthcare Manufacturing
Media & Entertainment Travel Telecommunications
AND WE’VE ALL HEARD
FROM THE EXPERTS
“You can’t protect everything equally…
we have to find a way to control only
what matters.”
Earl Perkins, VP, Gartner
“Today's security climate is such that enterprises fear becoming victims of the next major cyber attack
or cyber extortion."
Sean Pike, VP, IDC
“…many global enterprises face targeted attacks on a daily basis.”
Chris Sherman, Sr. Analyst, Forrester
Shortage is projected to reach
1.8 million professionals by 2022
MIND THE GAP
THE SECURITY TALENT
GAP IS GROWING
Source: 2017 Global Information Security Workforce Study (GISWS)
BUT WHERE ARE THE REAL
SECURITY THREATS LURKING?
Firewall Anti-malware Servers Perimeter
Proxies Intrusion detection and protection
Antivirus Infrastructure devices
ULTIMATE GOAL
IS TO MAKE THE
COMPANY MORE
SECURE
What to do?
Limited resources
Limited time
Limited money
Ask yourself:
a) Finding and retaining skilled security personnel
b) Filling a security capability gap
c) Getting value from the tools we have
d) Keeping up with day to day operations
WHAT IS YOUR BIGGEST
SECURITY CHALLENGE?
WHAT IS A SIEM AND
WHY DO I NEED ONE?
Defined, a SIEM stands for
Security Information and Event
Management and is software
that identifies real-time possible
security threats by analyzing
alerts generated from network
and security technologies
WHAT IS
A SIEM?
WHAT DOES A SIEM DO?
SIEM
1. Various technologies are deployed in an IT
environment..
2. They throw off alerts recorded in log files..
3. That are fed into the SIEM software.
4. SIEM is configured with rules and use cases to
identify possible threats.
5. SOC team proactively monitors the SIEM and
investigates alerts triggered by the SIEM.
6. When threats are identified, remediation
actions are taken on the technologies, and..
7. Where investigated alerts are not deemed to
be threats (“false positives”), rules and use
cases are updated to suppress future
alerting.
1
2
3
45
6
7
Reduce the number of people
needed to stay on top of alerts
Focus staff on threats requiring
investigation and remediation
Customize unique rules to
eliminate ‘false positive’ alerts
HOW DOES A SIEM
HELP SECURITY
POSTURE?
LET’S TALK ABOUT AN INDUSTRY-
LEADING SIEM TECHNOLOGY…
IBM QRadar
Chris Collard
September, 2017
Offering Manager - QRadar
18 IBM Security
Advanced ThreatDetection
Insider Threat
Securing theCloud
Risk and VulnManagement
A cognitive security operations platform for the threats of tomorrow
Critical Data Protection
Compliance
IncidentResponse
Fast to deploy, easy to manage,
and focused on your success
19 IBM Security
Watson for Cyber Security and i2 Enterprise Insight Analysis
Core cognitive
capability that
continuously
understands,
reasons, and
learns the many
risk variables
across the
entire security
ecosystem
Cyber analysis
to hunt for
attackers and
predict threats
IBM QRadar: Continued investment based on client needs
Incident
Response and
Network
Insights
Integration
with Resilient
enables building
and executing
automated
incident
response plans
Network Insights
bridges flows
and full packet
capture,
enhancing
real-time
detection
Security
Intelligence
on Cloud
and Apps
Deploy as
SaaS offering
or combine
with hybrid cloud
and on-prem
environments
Easily extend
QRadar with
apps, available
on curated
IBM App
Exchange
Network
Forensics
Incident
forensics
including
full packet
capture,
storage,
indexing,
searching and
session
reconstruction
Vulnerability
and Risk
Management
Real-time
vulnerability
scanning and
prioritizations,
combined with
configuration
analysis, policy
monitoring, and
risk assessment
Log
Management
Identity
management,
complete log
management,
and compliance
reporting
SIEM
Combined
flows, behavioral
analytics, SIM
and vulnerabilities
into one of the
first SIEMs
Clie
nt
Nee
ds
Flow
Visualization
and NBAD
Anomaly
detection
and threat
resolution plus
network
visualization
Pla
tfo
rm e
vo
luti
on
ba
se
d o
n c
lie
nt
ne
ed
s
2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2013 2014 2015 2016 2017
20 IBM Security
Cognitive Security Starts HereIBM Security Introduces a Revolutionary Shift in Security Operations
IBM CONFIDENTIAL
• Employs powerful cognitive capabilities to investigate and qualify security incidents and anomalies on behalf of security analysts
• Powered by Watson for Cyber Security to tap into vast amounts of security knowledge and deliver insights relevant to specific security incidents
• Transforms SOC operations by addressing current challenges that include skills shortages, alert overloads, incident response delays, currency of security information and process risks
• Designed to be easily consumable: delivered via IBM Security App Exchange and deployed in minutes
NEW! IBM QRadar Advisor with Watson
21 IBM Security
Revolutionize how security analysts work
Automatically uncover new
security context and full scope
of an incident
• 2.3M+ security documents
• 10B+ security data elements
• 80K+ documents read per day
• 250K+ investigations enhanced
in just six months
IBM QRadar Advisor with Watson
22 IBM Security
Case Study: An international energy company reduces billions of events per day to find those that should be investigated
An international energy firm analyzes
2 billionevents per day to find
20-25potential offenses to investigate
Business challenge
Reducing huge number of events to find the ones that need to be investigated
Automating the process of analyzing security data
IBM Security Solutions (QRadar SIEM, QFlow, Risk Manager)
Combined analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover
patterns of unusual activity humans miss and immediately block suspected traffic
Optimize threat analysis
Ask yourself:
a) Haven’t considered
b) Currently evaluating
c) Deployed and running smoothly
d) Deployed but unmanaged
WHERE ARE YOU ON YOUR SIEM
“JOURNEY”?
POSITIONING FOR
SUCCESS
CONSUMPTION
MODELS
Deployed SIEM
Buy a SIEM and run it
Co-Managed SIEM
Buy a SIEM and have an MSSP
help support it
As-a-Service SIEM
Full Opex model for SIEM and
operations, pay as you go
IBM QRADAR
The backbone of
Forsythe’s SIEMaaS
Inclusive of hardware, SIEM
software, hosting, and support
Located in Forsythe’s Uptime
Institute certified Tier III hosting
facility in Chicago
Priced on a per Events Per
Second (“EPS”) basis
FORSYTHE
SIEMAAS
KEY SERVICE COMPONENTS
Event
Management
Ongoing
Tuning
Technology
Lifecycle
Management
Incident
Management
WHAT TO LOOK FOR IN AN MSSP
PARTNERSHIP
Setting Expectations
A good partner will help you ask the
right questions upfront to set
appropriate expectations and
avoid surprises.
Onboarding for Success
A successful activation requires
upfront tuning of the environment.
Make sure the partner offers this.
Engineering Expertise
Be clear on the level of technical
expertise and if the technical team
is tasked with identifying and
rectifying issues proactively.
Ongoing Tuning
Work with a partner whose shared
goal is your improved security
posture and will therefore perform
the required tuning.
Flexibility
Understand that some providers are
more flexible than others.
Culture and Communication
For a partnership to work, everyone
needs to be dedicated to problem-
solving, effective communications
and a shared sense of teamwork.
GETTING
STARTED
1. Understand your security
mandate
2. Determine build-vs-buy
consumption model
3. Do not get caught in product
comparison paralysis
4. Evaluate staffing limitations
and priorities
5. Engage an MSSP where
appropriate to add value
6. Identify and incorporate SLAs
into contracts
7. Check references