wk04-CLO2-SIEM-Architecture copy.pptx

Full Transcript

Search  Important dr said 90 min
Clo 1 (week1&2)  10 MCQ + 2 short answer + 1 matching
Search  Important for exam & Clo 2 (week3&4)  10 MCQ + 2 short answer + 1 matching

CSF 4613 – Security Intelligence
‫مهم‬

Ask dr slides 25 point 4 not clear

Week 04 (CLO2)
- IBM QRadar Architecture and Functional Components
Objectives
After completing this unit, you should be able to:
Understand the security architecture big picture
Explain the architecture (building blocks) of the QRadar SIEM
Understand the functionality of individual components of QRadar
Relate the functionality of one component of QRadar to other functional components

2
Contents
Security architecture: The big picture
The functional components of IBM QRadar

3
 What are the key features that an architecture
should focus on according to the text?
ANSWER

Overall environment of the system
Relationships between system elements
Main functions without details
Use of established frameworks (e.g., TOGAF,
OESA, COBIT, ISO/IEC 27001)

Security architecture: The big picture
 What is an architecture?
1. An architecture takes into consideration the overall environment in which the
system (IT system) operate.
2. It determine all the elements of the IT system and their relationships
3. An architecture describes the fundamental properties of the IT system; it focuses
on the essentials and does not cover details.  It focuses on the main features, not
the details
4. An organization should use a well accepted enterprise security architecture
framework for creating the organization’s security architecture. For example,
> TOGAF (The Open Group Architectural Framework)
> OESA (Open Enterprise Security Architecture)
> Control Objectives for Information and Related Technology (COBIT)
> ISO/ IEC 27001:2013 Security techniques – Information security management systems
> ISO/ IEC 27002:2013 Security techniques – Code of practice for information security controls
1. Architecture considers the system's environment:
It looks at how the system will work with other systems and users around it. © Copyright IBM Corporation 2015
5
 What is an architecture? (cont.)
Brief description of famous security architecture frameworks,
 TOGAF covers the development of four related types of architecture (not security-focused); these four
types of architecture are commonly accepted as subsets of an overall enterprise architecture,
Business Architecture

Data Architecture

Application Architecture

Technology Architecture

 The OESA is a policy-driven security architecture that places this architecture in the context of a
larger enterprise security program and describes the major elements of an ESA

© Copyright IBM Corporation 2015
6
 Syste
Security Intelligence: The
Management
Consulting
ms
ProductsBackbone
Integrated
Integra
tion
of a comprehensive security
Security
as a Service

architecture
SECURITY Advanced Mobile and Compliance Skills
Cloud
TRENDS Threats Internet of Things Mandates Shortage

Comprehensive Security Portfolio

Strategy, Risk, and Compliance Cybersecurity Assessment and Response

‫االستخبارات األمنية والعمليات‬
Security Intelligence and Operations

Advanced Identity Data Application Network, Mobile
Fraud and Access Security Security and Endpoint
Protection Management Protection

Advanced Threat and Security Research

DELIVERY
MODELS

© Copyright IBM Corporation 2015 7
 Search  Important dr said Organization can be divided in 3 category
‫فئات النضج‬
Quiz important
Maturity categories of integration
‫للتكامل‬ Optimized :
All automated and all proactive
Organizations using proactive and automated
1. Basic – organization See notes security tools can boost their security. By
In Sec
gathering and combining logs and data from
employ perimeter
te u different sources, they get a clearer view of their
protection and feed llig rit security situation. This information includes
manual reporting, very en y details about important assets, weaknesses, and
ce
reactive in nature. worldwide threats, helping teams make better
decisions. Overall, these tools help

O
2. Proficient – organization

Automated

‫ل‬
organizations identify potential risks and

pt
‫مث‬
implements “security in

‫ال‬
im
strengthen their defenses.

‫ا‬
depth” Security is layered

ize
into the IT fabric and business Optimized

d
Pr
‫ هر‬cie
operations and it’s use both Organizations use

‫ما‬
ofi
automated, –proactive
3. Optimized also
Organizations predictive and automated
manual, and reactive security analytics to drive
use proactive and
toward security

nt
automated security
intelligence
analytics to drive toward ‫ ي‬si
‫س‬
Basic
Ba
security intelligence
Manual

‫ ا‬c ‫س‬
Organizations ‫أ‬
Proficient
d all reactive employ perimeter
Security is layered Ex: HR department
protection, which
ch; they regulates access and
into the IT fabric and work In HR
business operations
nding feeds manual reporting Reactive Proactive software
d feed ‫تفاعل‬ ‫استباقي‬
ting, very ‫ي‬
Proficient :
ture. Different systems work together and work auto and manual operations also work proactive and© reactive
Copyright IBM Corporation 2015
8
 ‫تطبيق البيانات الضخمة في مجال االستخبارات األمنية وإدارة‬
‫التهديدات‬
Apply Big Data to Security Intelligence and threat management

 Collection, storage, and processing
‫النضج‬  Collection and integration
Logs  Size and speed
‫األساسي‬
Basic maturity EventsAlerts  Enrichment and correlation

Configuration  Analytics and workflow‫التحليالت وسير العمل‬
information  Visualization
System Identity  Unstructured analysis
audit trails context  Learning and prediction
 Customization
Network flows  Sharing and export
and anomalies
External threat Full packet and  Global intelligence‫االستخبارات العالمية‬
intelligence DNS captures  Campaign identification
feeds  IP reputation covering
Web page Business
attacker, industry, and region
text process data
 Comparisons
Optimized Email and Customer  Anomaly detection
‫النضج‬ maturity social activity transactions
‫األمثل‬
9
 ‫فئات النضج وأنواع حلول األمان‬
See notes
Maturity categories and security solution types
Security intelligence refers to the
collection, aggregation, normalization, Security Intelligence:
and analysis of data generated by an Information and event management
organization's security systems to Advanced correlation and deep analytics
Security
understand and improve its overall
Intelligence External threat research
security posture.
Optimized
 Threat intelligence: Process 1. Role-based analytics 1. Advanced network
1. Secure app monitoring
of collecting, analyzing, and 2. Identity governance 1. Data flow analytics engineering
processes 2. Forensics/data
applying information about 3. Privileged user 2. Data governance mining
controls 2. Fraud detection
current and potential threats 3. Secure systems
to an organization

1. User provisioning 1. Virtualization
(management) security
1. Access monitoring 1. Application firewall
2. Access 2. Asset management
Proficient management 2. Data loss prevention 2. Source code
scanning 3. Endpoint/network
3. Strong security
authentication management

1. Data Encryption 1. Perimeter security
Basic Centralized directory Application scanning
2. Access control 2. Anti-virus

‫الدليل المركزي‬
Network, Mobile,
Identity and Access and Endpoint
Management Data Security Application Security Protection and ,Fraud
‫ المحمول‬,
Protection
‫نقطة النهاية‬
‫أمن البياناتإدارة الهوية والوصول‬ ‫أمان التطبيق‬ ‫ة من االحتيال‬
10
QRadar functional components
 Search  Important dr said
QRadar SIEM logical components and data flow
The event processor & flow processor will send these data to the Console and then the console generates an offense.
 Which c
Network Network Central User Console
Logs Logs  Magistrate (manages offense creation and magnitude) manage
packages flows A) Mag
 Global correlation across flow and event processors
 Offense management B) Arie
 Asset and identity management C) Pos
 Event Processor  Correlation & store D) Flo
Flow Collector Event Collector  Rule Processor & DSM (device support modules)
 Storage for events, accumulated meta data
 Storage for flows, accumulated meta data
 Event Collector ‫االلتحام‬
 Log event collection, coalescing (combining), and
Flow Processor Event Processor normalization
 Third-party flow collection such as NetFlow, sFlow, J-Flow,
Correlation & store deduplication, and recombination
The flow  Flow Collector Flow Collector & Event Collector both is doing normalize - only data t
 QFlow (collects information from NetFlow protocol) and
Console Superflow (for detailed analysis) creation, and application
detection (categorize network traffic based on applications)
-
-
QFlow (Flow Collector): Collects network traffic data using the NetFlow protocol. Handle
Superflow Creation: Provides detailed analysis by creating more in-depth traffic

-
records.
Application Detection: Identifies and categorizes traffic based on the applications
events
generating it. 12
From NetFlow to QFlow to QRadar Incident Forensics
NetFlow collects data about the flow of packets in a network, focusing on the direction of data, the IP
addresses involved, the ports being used, and how the data is prioritized. This helps network
Internet/ administrators monitor and manage network performance effectively.
intranet
 Netflow: packet-oriented, identifies unidirectional (only right  or lift
) sequences sharing source and destination IPs, ports, and type of
packet service

 QFlow: packet-oriented, identifies bidirectional (right  & lift )
Internet/
intranet sequences grouped into sessions, also identifies applications by
capturing the beginning of a flow
QFlow looks at small pieces of data (packets) that are sent back and forth between two devices, like a computer and a server. It
organizes these packets into sessions, which are groups of related messages exchanged during a conversation. By checking the
beginning of these conversations, QFlow can figure out which applications are being used, like a web browser or a video call app.
This helps in monitoring network traffic and understanding how different applications work.
Internet/  Competitive solutions: session-oriented, some only capture a
intranet subset of each flow and index only the metadata—not the
payload

 QRadar Incident Forensics: session-oriented, captures all
Internet/ packets in a flow indexing the metadata and payload to enable
intranet
fast search-driven data exploration
QRadar Incident Forensics tracks complete interactions between devices records every
detail of those interactions, organizes that information, and allows for quick searches to
help analyze security incidents. 13
 Search  Important dr said: database Quiz important
QRadar high-level architecture
Flow and event data is stored in the Ariel database
Identity on the Event Processors ‫مهم‬
Asset
Offense  If accumulation is required, accumulated data is stored in the Ariel
accumulation database
 As soon as data is stored, it cannot be changed (tamper proof)
Console Services
User interface
Magistrate
Reporting Offenses, assets, and identity information are stored
in the master PostgreSQL database on the Console
Flows  Scalability and performance are managed through bulk insert and update
Events Event Processor
Accumulations transactions and by populating memory caches to avoid numerous round
trips to the database
 Provides one master database with copies on each processor for backup
Flow Collector Event Collector and automatic restore

Secure SSH communication between appliances in a
Sources: Router, switches, firewalls
Protocols: NetFlow, S-Flow, and J-Flow
Events from log
sources distributed environment is supported
 Search  Important dr said
Quiz important
Application detection
‫طرق تحديد تطبيق التدفق‬
Methods of determining the application of the flow
User defined
> This method is mainly used when users have a proprietary application running on their
network
> For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be
MySpecialApplication

State-based decoders
> This method is implemented in the source code and determines the application by analyzing
the payload for multiple markers
> For example:
If we see A followed by B then application = X;
if we see A followed by C, then application = Y
15
 Quiz important
Application detection (cont.)
Methods of determining the application of the flow
Signature matching
> Basic string matching in the payload
> Custom signatures are allowed (see Application Configuration Guide for signature
customization)

Port-based matching
> Port 80 = HTTP (web-based application)
> Port 443 = HTTPS
> Port 22 = SSH
> Port 25 = SMTP traffic and so on

16
4 )FPM( ‫معالجة االندفاع للتدفقات في الدقيقة‬

Flows per minute (FPM) burst handling
1. Flows are temporarily stored in an overflow buffer if the FPM license is exceeded

2. Every log source protocol has an overflow buffer of 100,000 events

3. If the overflow buffer fills up, the additional flows are dropped

4. In general, a Flow Collector can handle an event burst for up to 15 seconds

1. If the FPM license limit is exceeded, flows are stored temporarily in an overflow
buffer.
2. Each log source has an overflow buffer for up to 100,000 events.
3. When the overflow buffer is full, extra flows are dropped.
4. The Flow Collector can handle a sudden event increase for up to 15 seconds.
If the burst lasts longer than 15 seconds, flows may start getting dropped.
17
4 ‫بنية جامع األحداث‬
Search  Important dr said: maybe something missing in diagram explaine diagram
Important for exam
Event Collector architecture
1. Each Event Collector gathers events from local and remote sources Event Processor

2. The Event Collector normalizes events and classifies them into low-
level categories and high-level categories Coalescing filter

3. Log Sources are automatically discovered after record analysis  Log
sources are automatically found after the system analyzes the records.
Device Support Module (DSM)
Parser threads
4. The Event Collector bundles identical events to conserve system DSM normalization filter

usage through a process that is known as coalescing  The Event
Overflow filter
Collector combines the same events to save system resources, a process (enforce license limit)

called coalescing.
Raw data packets received
5. Events are parsed (analyzed) by Log Source parser threads
Event Collector

6. EPS license is checked
Log Sources

Week 3 / slide 19 
18
QRadar Embedded intelligence offers automated offense
identification ‫التعرف اآللي على الجريمة‬

Security devices
Correlation ‫االرتباط‬
Servers and mainframes Logs/events Suspected
Flows incidents
IP reputation
Network and virtual activity
Geographic location True offense‫حقيقية‬ ‫جريمة‬
Data activity
Offense identification ‫تحديد‬
‫الجريمة‬
Application activity Secure archive Credibility
Severity
Configuration information Activity baselining and Relevance
anomaly detection
User activity
Vulnerabilities and threats Database activity
Application activity
Users and identities Network activity Embedded
intelligence
Global threat intelligence

19
4
Auto-discovery of Log Sources ‫االكتشاف التلقائي لمصادر السجل‬

1. Is an essential module for automating a successful evaluation or deployment

2. Categories traffic from devices that are unknown to the system

3. Creates a new Log Source if detection is successful on an IP address

4. Carries out detection only on event protocols that are “pushed” to the Event

Collector, for example, Syslog
1. Automation Module: Automates evaluation and deployment.
2. Traffic Identification: Sorts traffic from unrecognized devices.
3. Log Source Creation: Creates a log source for newly detected devices.
4. Event Detection: Detects specific messages (e.g., syslog) sent to the Event Collector. 20
4 ‫يستخدم تحليل مصدر السجل تعيين البطاقة الشخصية‬
Log Source parsing uses QID mapping
1. The Log Source parser extracts the Log Source Event ID from the log record  Extracts the Log
Source Event ID from the log record.

2. The QID (QRadar Identifier) is a unique ID that links the extracted Log Source Event ID to a QID
 The QID is a unique ID that links the extracted Log Source Event ID to a related QID.

3.  Each QID number links to a custom Event Name and Event description, as well as Event
severity and event category information ‫مهم‬

4. The event category information is structured into High-Level Categories (HLC) and Low-Level
Categories (LLC) every QID is linked to one of these low-level categories.
 event category are organized into two levels. The first level is called High-Level Categories (HLC),
which. represents general types of events The second level is called Low-Level Categories (LLC),
which gives more specific details about the event within the broader category.

For example, "Authentication (HLC) – Admin Login Successful (LLC)" is a category combination
21
4Events per second (EPS) burst handling ‫معالجة اندفاع األحداث في‬
‫الثانية‬

1. Events are temporarily stored in an overflow buffer if the EPS license is exceeded

2. Every log source protocol has an overflow buffer of 100,000 events ‫مهم‬

3. If the overflow buffer fills up, the additional events are dropped ‫مهم‬

4. In general, an Event Collector can handle an event burst for up to 15 seconds
1. If the EPS (Events Per Second) license limit is exceeded, events are temporarily stored in an
‫مهم‬overflow buffer.
2. Each log source has an overflow buffer for up to 100,000 events.
3. When the overflow buffer is full, extra flows are dropped.
4. The Event Collector can handle a sudden event increase for up to 15 seconds. If the burst lasts
longer than 15 seconds, flows may start getting dropped. 22
 Search  Important dr said
4 The main function is correlation and storage Important for exam
Event Processor architecture Anomaly New host
Magistrate
Detection Engine or port event

Every single event and flow is tested against all enabled rules in the

rules engine Accumulations Accumulator Host profiling Exit filter

New offenses (alerts) are created by the Magistrate (see Console) Flows Event storage filter
Events

If a new port or host is detected, an asset profile is updated or created Offense type analyzer

in the PostgreSQL database (see Console)  If a new port or Drop
(no match Custom Rules Engine (CRE)
on events)
device is found, a profile for it is created or updated in the
Overflow filter
(enforce license limit)
PostgreSQL database
Event sources received
Events are accumulated every minute and stored in the accumulator Event Processor

Ariel database  Events are collected every minute and saved in
Event Processor Event Processor Event Processor
Event Processor Event Collector Flow Collector
the Ariel database.
23
4
Custom Rules Engine (CRE) ‫محرك القواعد المخصصة‬
1. Every single event or flow is tested against all enabled rules; matched rules can have a response or
result  Every event or flow is tested automatically based on all the active rules in the system.

2. Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation
of an offense  Matched rules may cause a response, create an offense, or generate a CRE event
leading to an offense. ‫مهم‬

3. Multiple matched events, flows, and matched rules might correlate into a single offense Multiple
events, flows, or rules can combine into a single offense. ‫مهم‬

4. A single event or flow can be correlated (belong) into multiple offenses (important)  A single event or
flow can be part of multiple offenses.

5. By default, rules are tested against events or flows received by a single Event Processor (local rules)

6. Global Cross Correlation (GCC) allows rules testing across multiple Event Processors in the QRadar
SIEM deployment  helping to analyze events from different sources together. 24
 Search  Important dr said
3 ‫مهم‬
Console architecture Magistrate: gather information from all elements events and
flow and then create offenses to help investigator to know the
1. The Magistrate creates and stores offenses in the reason of creation of the offenses.

PostgreSQL database; these offenses are then brought to Offenses

the analyst’s attention in the interface
Magistrate
2. The Magistrate instructs the Ariel proxy to gather Custom Rule
Engine
Assets
information about all events and flows that triggered the
Vulnerability Anomaly
creation of an offense Overflow filter Ariel
Information Detection
‫محرك كشف الشذوذ‬ (enforce license limit) Proxy
Server Engine
3. The Anomaly Detection Engine (ADE) searches the
Event Sources received
Accumulator databases for anomalies, which are then
Console

used for offense evaluation
Ariel Host
Event Processor Accumulators
Event Processor Query Server Profiler
4. The Vulnerability Information Server (VIS) creates new

assets or adds open ports to existing assets based on 1. Magistrate: Creates and stores offenses in the PostgreSQL database.
These offenses are displayed for the analyst in the interface to get the
information from the EPs analyst’s attention 25
Embedded intelligence of QRadar directs focus for investigations
Suspected
incidents

True offense
Directed forensics investigations
Rapidly reduce time to resolution
through intuitive forensic workflow
Use intuition more than technical training
Determine root cause and prevent recurrences

Embedded
intelligence

26
 Important for exam

Offense management by the Magistrate

1. Rules can correlate (links) events and flows into a single offense

2. A single event or flow can belong to multiple offenses

3. While rules are tested, they might lead to the creation of an offense

4. Pending offenses tag the events and flows as long as the rule that triggered the

creation of the offense remains at least partially matched

5. A maximum of 100,000 offenses can be stored

27
Offense management by the Magistrate (cont.)
(summary) The Magistrate instructs the Ariel proxy to gather

information about all events and flows that triggered the creation
Rule triggers the
of an offense
creation of an
2 offense
Rules engine Magistrate
(Rule xyz)

1
4
Partial matches tag
the flows and 3
Offense is created with
events
‫تشير التطابقات الجزئية إلى‬ Before the offense is all tags to events and
‫التدفقات واألحداث‬ created, the Magistrate flows that lead up to the
queries for (make sure) all offense
matching event and flow
tags to be included
Flows
Database  Events
Accumulations

28
Search  Important dr said: write in detail Important for exam

Types of offenses ‫مهم‬

1. An Open Offense that is created remains an Active Offense as long as the rules that triggered the offense creation
are matched by events or flows within 30 minutes after the last match has been found; new tags of events or flows
are added to the Active Offense
‫جريمة نائمة‬
2. If an Open Offense did not find additional matches for more than 30 minutes, it becomes a Dormant Offense

3. A Dormant Offense becomes active again when additional matches are found within 5 days after the offense
became dormant, and it is now called‫استدعاؤها‬
a Recalled
‫ تم‬Offense; new tags of events or flows are added to the Recalled
‫الجريمة التي‬
Offense

4. After a Dormant Offense has not received any matches within 5 days after it became dormant, it turns into an
‫جريمة غير نشطة‬
Inactive Offense ‫ إذا تمت مطابقة األحداث أو التدفقات مع مخالفة‬.6
‫ يتم إنشاء مخالفة‬،‫غير نشطة أو مخالفة مغلقة‬
5. Open Offenses can manually be turned into Closed Offenses ‫مفتوحة جديدة‬
6. If events or flows are matched to an Inactive Offense or Closed Offense, a new Open Offense is created

7. A maximum of 2,500 Active Offenses and 500 Recalled Offenses are allowed

8. Closed and Inactive Offenses are subject to retention management 29
Ask the right questions
Are we configured
What are the major risks What security incidents What was the impact
to protect against
and vulnerabilities? are happening right now? to the organization?
advanced threats?

Vulnerability Pre-Exploit Exploit Post-Exploit Remediation

PREDICTION / PREVENTION PHASE REACTION / REMEDIATION PHASE

Gain visibility over the organization’s security posture Automatically detect threats with prioritized workflow to
and identity security gaps quickly analyze impact
Detect deviations from the norm that indicate early Gather full situational awareness through advanced
warnings of APTs security analytics
Prioritize vulnerabilities to optimize remediation Perform forensic investigation reducing time to find the
processes and close critical exposures before exploit root cause; use results to drive faster remediation

Vulnerability Risk SIEM Log Incident
Manager Manager Manager Forensics

30
 Which method does QRadar use to
Search  Important dr said: compenents in QRadar correlate flows and events into offenses?
A) Application detection
IBM Security QRadar SIEM B) Signature matching
Web-based command console for Security Intelligence C) Rules-based correlation
D) Anomaly detection
1. Delivers actionable insight focusing Optimized threat analysis

security teams on high-probability Daily volume of events, flows, incidents

2,000,000,000

incidents automatically analyzed to find

20 – 25
2. Employs rules-based correlation of events, flows, potential offenses to investigate

assets, topologies, and vulnerabilities 1. Finds Real Threats: 1) Helps security teams find the most likely
security threats.
3. Detects and tracks malicious activity
over extended time periods, helping 2. Links Different Data with rules: Uses 1) rules-based correlation to
link events, flows, assets, and vulnerabilities to spot issues.
uncover advanced threats often missed
3. Detects and tracks malicious activity: 1) Monitors harmful activities
by other solutions for a long time, which 2) helps find advanced threats that other tools
might miss.
4. Consolidates “big data” security incidents within
purpose-built, federated database repository 4. Puts all security incidents in one place: Keeps large amounts of
security incident data in a special “big data”, organized database.
5. Provides anomaly detection to
complement existing perimeter defenses 5. Detects Unusual Behavior: It 1) detects actions that are different
from normal behavior, 2) helping to strengthen security by catching
6. Calculates identity and application baseline profiles to activities that seem Unusual activities.
assess abnormal conditions 6. Knows what's normal for users and apps: 1) Understands regular
behavior of users and applications to spot anything unusual. 31
 Search  Important dr said: compenents in QRadar ®

IBM Security QRadar Vulnerability Manager
 Scan, assess, and remediate vulnerabilities
‫مسح وتقييم ومعالجة الثغرات األمنية‬
 Contains an embedded, well-proven, scalable, analyst-
recognized, PCI-certified scanner
 Detects 70,000+ vulnerabilities
 Tracks National Vulnerability Database (CVE)
 Is present in all log and flow collectors and processors
QRadar
 Integrates with IBM Security Endpoint Manager (BigFix) to
reveal which vulnerabilities will be patched and when
 Leverages QRadar Risk Manager to report which
vulnerabilities are blocked by your IPS and FW
 Uses QFlow report if a vulnerable application is active
 Presents a prioritized list of vulnerabilities you should
deal with as soon as possible
32
 Search  Important dr said: compenents in QRadar ®

IBM Security QRadar Risk Manager
 Scan, assess, and remediate risks
1. Network topology model based on security
device configurations enables visualization of
actual and potential network traffic patterns
1. Visualizes network traffic patterns: Uses security
2. Policy engine network
correlates to
device configurations topology,
show actual and potential network
asset vulnerabilities
traffic flows. and configuration, and
actual network traffic to quantify and
2. Correlates
prioritize and prioritizes
risk, enabling risk: Combines network
risk-prioritized
topology, asset vulnerabilities, configuration, and traffic to
remediation andand
quantify compliance checking,
prioritize risks, enabling fixes, compliance ‫القياس الكمي لمخاطر‬
alerting,checks,
and reporting
alerts, and reports.
1.
Asset risk quantification ‫األصول‬
‫تحديد أولويات المعالجة‬
2. Remediation prioritization
3. Centralizes networknetwork
3. Centralizes security device
security device configurations: ‫طوبولوجيا الشبكة‬
configuration data and discovers 3. Network topology
1)Collects data, 2) finds configuration errors, and 3)
‫مراقبة السياسات واالمتثال‬

configuration errors;
monitors rule activity.firewall rule
firewallmonitors 4. Policy and compliance ‫ محاكاة التهديدات‬.1
activity monitoring
4. Models threat propagation and simulates network
5. Threat simulations
4. Models topology
threat propagation and simulates
changes: 1) simulates how threats spread and
tests the changes
network2)topology impact of changes in the network structure. 33
 1.Speeds up incident investigation: Reduces time
Search  Important dr said: compenents in QRadar from days/hours to minutes.
®

IBM Security QRadar Incident Forensics 2.Utilizes search engine technology:
gaps for security teams.
IncidentCloses skill
Forensics
 Intuitive investigation of security incidents 3.Collects evidence of malicious activity: collects
evidence of breaches and data theft.
1. Reduces incident investigation periods from 4.Creates visual content representations:
days or hours to minutes Generates detailed visualizations for analysis.
2. Employs Internet search engine technology  to close 5.Identifies root causes of breaches: Helps prevent
or reduce recurring incidents.
security team skill gaps
6.Enhances SIEM data with full packet captures:
3. Compiles (collecting) evidence against Adds comprehensive information for security
analytics.
malicious entities breaching secure systems
and deleting or stealing sensitive data
4. Creates rich “digital impression” visualizations of related
content

5. Helps determine the root cause of
successful breaches to prevent or reduce
repetition
6. Adds full packet captures to complement SIEM
security data collection and analytics
Wins the race
against time
34
Benefits of IBM Security Intelligence approach
Holistic IT security management and integration with infrastructure and processes
Use tools and solutions that know how to communicate with each other
Integrate with centralized vulnerability management

Pro-active IT security management
Detect and counteract the threat before the actual exploit

Network flow analysis and forensics
Collect data that no attacker can obfuscate (network flow) and store application data for more detailed forensic
investigations

Risk assessment support through network topology awareness in combination with
vulnerability information
Investigate potential risks due to network topology and vulnerabilities
Focus on the “important and valuable” assets that need protection and do not flood the Security Intelligence
system with useless data
35
Summary
The contents covered this week are summarized here,
Understand the IT architecture of an organization
Understand where the security intelligence fits in the bigger picture for an
organization
List and understand the functional components of IBM QRadar

36