CSF 4613 – Security Intelligence Week 04 (CLO2) PDF

Summary

This document discusses Security Intelligence, focusing on IBM QRadar architecture and functional components. It covers security architecture concepts, QRadar's building blocks, and component functionalities. The document also mentions different security architecture frameworks like TOGAF, OESA, COBIT, and ISO/IEC 27001.

Full Transcript

Search  Important dr said 90 min Clo 1 (week1&2)  10 MCQ + 2 short answer + 1 matching Search  Important for exam & Clo 2 (week3&4)  10 MCQ + 2 short answer + 1 matching CSF 4613 – Security Intelligence ‫مهم‬ Ask d...

Search  Important dr said 90 min Clo 1 (week1&2)  10 MCQ + 2 short answer + 1 matching Search  Important for exam & Clo 2 (week3&4)  10 MCQ + 2 short answer + 1 matching CSF 4613 – Security Intelligence ‫مهم‬ Ask dr slides 25 point 4 not clear Week 04 (CLO2) - IBM QRadar Architecture and Functional Components Objectives After completing this unit, you should be able to: Understand the security architecture big picture Explain the architecture (building blocks) of the QRadar SIEM Understand the functionality of individual components of QRadar Relate the functionality of one component of QRadar to other functional components 2 Contents Security architecture: The big picture The functional components of IBM QRadar 3 What are the key features that an architecture should focus on according to the text? ANSWER Overall environment of the system Relationships between system elements Main functions without details Use of established frameworks (e.g., TOGAF, OESA, COBIT, ISO/IEC 27001) Security architecture: The big picture What is an architecture? 1. An architecture takes into consideration the overall environment in which the system (IT system) operate. 2. It determine all the elements of the IT system and their relationships 3. An architecture describes the fundamental properties of the IT system; it focuses on the essentials and does not cover details.  It focuses on the main features, not the details 4. An organization should use a well accepted enterprise security architecture framework for creating the organization’s security architecture. For example, > TOGAF (The Open Group Architectural Framework) > OESA (Open Enterprise Security Architecture) > Control Objectives for Information and Related Technology (COBIT) > ISO/ IEC 27001:2013 Security techniques – Information security management systems > ISO/ IEC 27002:2013 Security techniques – Code of practice for information security controls 1. Architecture considers the system's environment: It looks at how the system will work with other systems and users around it. © Copyright IBM Corporation 2015 5 What is an architecture? (cont.) Brief description of famous security architecture frameworks,  TOGAF covers the development of four related types of architecture (not security-focused); these four types of architecture are commonly accepted as subsets of an overall enterprise architecture, Business Architecture Data Architecture Application Architecture Technology Architecture  The OESA is a policy-driven security architecture that places this architecture in the context of a larger enterprise security program and describes the major elements of an ESA © Copyright IBM Corporation 2015 6 Syste Security Intelligence: The Management Consulting ms ProductsBackbone Integrated Integra tion of a comprehensive security Security as a Service architecture SECURITY Advanced Mobile and Compliance Skills Cloud TRENDS Threats Internet of Things Mandates Shortage Comprehensive Security Portfolio Strategy, Risk, and Compliance Cybersecurity Assessment and Response ‫االستخبارات األمنية والعمليات‬ Security Intelligence and Operations Advanced Identity Data Application Network, Mobile Fraud and Access Security Security and Endpoint Protection Management Protection Advanced Threat and Security Research DELIVERY MODELS © Copyright IBM Corporation 2015 7 Search  Important dr said Organization can be divided in 3 category ‫فئات النضج‬ Quiz important Maturity categories of integration ‫للتكامل‬ Optimized : All automated and all proactive Organizations using proactive and automated 1. Basic – organization See notes security tools can boost their security. By In Sec gathering and combining logs and data from employ perimeter te u different sources, they get a clearer view of their protection and feed llig rit security situation. This information includes manual reporting, very en y details about important assets, weaknesses, and ce reactive in nature. worldwide threats, helping teams make better decisions. Overall, these tools help O 2. Proficient – organization Automated ‫ل‬ organizations identify potential risks and pt ‫مث‬ implements “security in ‫ال‬ im strengthen their defenses. ‫ا‬ depth” Security is layered ize into the IT fabric and business Optimized d Pr ‫ هر‬cie operations and it’s use both Organizations use ‫ما‬ ofi automated, –proactive 3. Optimized also Organizations predictive and automated manual, and reactive security analytics to drive use proactive and toward security nt automated security intelligence analytics to drive toward ‫ ي‬si ‫س‬ Basic Ba security intelligence Manual ‫ ا‬c ‫س‬ Organizations ‫أ‬ Proficient d all reactive employ perimeter Security is layered Ex: HR department protection, which ch; they regulates access and into the IT fabric and work In HR business operations nding feeds manual reporting Reactive Proactive software d feed ‫تفاعل‬ ‫استباقي‬ ting, very ‫ي‬ Proficient : ture. Different systems work together and work auto and manual operations also work proactive and© reactive Copyright IBM Corporation 2015 8 ‫تطبيق البيانات الضخمة في مجال االستخبارات األمنية وإدارة‬ ‫التهديدات‬ Apply Big Data to Security Intelligence and threat management  Collection, storage, and processing ‫النضج‬  Collection and integration Logs  Size and speed ‫األساسي‬ Basic maturity EventsAlerts  Enrichment and correlation Configuration  Analytics and workflow‫التحليالت وسير العمل‬ information  Visualization System Identity  Unstructured analysis audit trails context  Learning and prediction  Customization Network flows  Sharing and export and anomalies External threat Full packet and  Global intelligence‫االستخبارات العالمية‬ intelligence DNS captures  Campaign identification feeds  IP reputation covering Web page Business attacker, industry, and region text process data  Comparisons Optimized Email and Customer  Anomaly detection ‫النضج‬ maturity social activity transactions ‫األمثل‬ 9 ‫فئات النضج وأنواع حلول األمان‬ See notes Maturity categories and security solution types Security intelligence refers to the collection, aggregation, normalization, Security Intelligence: and analysis of data generated by an Information and event management organization's security systems to Advanced correlation and deep analytics Security understand and improve its overall Intelligence External threat research security posture. Optimized  Threat intelligence: Process 1. Role-based analytics 1. Advanced network 1. Secure app monitoring of collecting, analyzing, and 2. Identity governance 1. Data flow analytics engineering processes 2. Forensics/data applying information about 3. Privileged user 2. Data governance mining controls 2. Fraud detection current and potential threats 3. Secure systems to an organization 1. User provisioning 1. Virtualization (management) security 1. Access monitoring 1. Application firewall 2. Access 2. Asset management Proficient management 2. Data loss prevention 2. Source code scanning 3. Endpoint/network 3. Strong security authentication management 1. Data Encryption 1. Perimeter security Basic Centralized directory Application scanning 2. Access control 2. Anti-virus ‫الدليل المركزي‬ Network, Mobile, Identity and Access and Endpoint Management Data Security Application Security Protection and ,Fraud ‫ المحمول‬, Protection ‫نقطة النهاية‬ ‫أمن البياناتإدارة الهوية والوصول‬ ‫أمان التطبيق‬ ‫ة من االحتيال‬ 10 QRadar functional components Search  Important dr said QRadar SIEM logical components and data flow The event processor & flow processor will send these data to the Console and then the console generates an offense.  Which c Network Network Central User Console Logs Logs  Magistrate (manages offense creation and magnitude) manage packages flows A) Mag  Global correlation across flow and event processors  Offense management B) Arie  Asset and identity management C) Pos  Event Processor  Correlation & store D) Flo Flow Collector Event Collector  Rule Processor & DSM (device support modules)  Storage for events, accumulated meta data  Storage for flows, accumulated meta data  Event Collector ‫االلتحام‬  Log event collection, coalescing (combining), and Flow Processor Event Processor normalization  Third-party flow collection such as NetFlow, sFlow, J-Flow, Correlation & store deduplication, and recombination The flow  Flow Collector Flow Collector & Event Collector both is doing normalize - only data t  QFlow (collects information from NetFlow protocol) and Console Superflow (for detailed analysis) creation, and application detection (categorize network traffic based on applications) - - QFlow (Flow Collector): Collects network traffic data using the NetFlow protocol. Handle Superflow Creation: Provides detailed analysis by creating more in-depth traffic - records. Application Detection: Identifies and categorizes traffic based on the applications events generating it. 12 From NetFlow to QFlow to QRadar Incident Forensics NetFlow collects data about the flow of packets in a network, focusing on the direction of data, the IP addresses involved, the ports being used, and how the data is prioritized. This helps network Internet/ administrators monitor and manage network performance effectively. intranet  Netflow: packet-oriented, identifies unidirectional (only right  or lift ) sequences sharing source and destination IPs, ports, and type of packet service  QFlow: packet-oriented, identifies bidirectional (right  & lift ) Internet/ intranet sequences grouped into sessions, also identifies applications by capturing the beginning of a flow QFlow looks at small pieces of data (packets) that are sent back and forth between two devices, like a computer and a server. It organizes these packets into sessions, which are groups of related messages exchanged during a conversation. By checking the beginning of these conversations, QFlow can figure out which applications are being used, like a web browser or a video call app. This helps in monitoring network traffic and understanding how different applications work. Internet/  Competitive solutions: session-oriented, some only capture a intranet subset of each flow and index only the metadata—not the payload  QRadar Incident Forensics: session-oriented, captures all Internet/ packets in a flow indexing the metadata and payload to enable intranet fast search-driven data exploration QRadar Incident Forensics tracks complete interactions between devices records every detail of those interactions, organizes that information, and allows for quick searches to help analyze security incidents. 13 Search  Important dr said: database Quiz important QRadar high-level architecture Flow and event data is stored in the Ariel database Identity on the Event Processors ‫مهم‬ Asset Offense  If accumulation is required, accumulated data is stored in the Ariel accumulation database  As soon as data is stored, it cannot be changed (tamper proof) Console Services User interface Magistrate Reporting Offenses, assets, and identity information are stored in the master PostgreSQL database on the Console Flows  Scalability and performance are managed through bulk insert and update Events Event Processor Accumulations transactions and by populating memory caches to avoid numerous round trips to the database  Provides one master database with copies on each processor for backup Flow Collector Event Collector and automatic restore Secure SSH communication between appliances in a Sources: Router, switches, firewalls Protocols: NetFlow, S-Flow, and J-Flow Events from log sources distributed environment is supported Search  Important dr said Quiz important Application detection ‫طرق تحديد تطبيق التدفق‬ Methods of determining the application of the flow User defined > This method is mainly used when users have a proprietary application running on their network > For example: All traffic going to host 10.100.100.42 on port 443 is recognized to be MySpecialApplication State-based decoders > This method is implemented in the source code and determines the application by analyzing the payload for multiple markers > For example: If we see A followed by B then application = X; if we see A followed by C, then application = Y 15 Quiz important Application detection (cont.) Methods of determining the application of the flow Signature matching > Basic string matching in the payload > Custom signatures are allowed (see Application Configuration Guide for signature customization) Port-based matching > Port 80 = HTTP (web-based application) > Port 443 = HTTPS > Port 22 = SSH > Port 25 = SMTP traffic and so on 16 4 )FPM( ‫معالجة االندفاع للتدفقات في الدقيقة‬ Flows per minute (FPM) burst handling 1. Flows are temporarily stored in an overflow buffer if the FPM license is exceeded 2. Every log source protocol has an overflow buffer of 100,000 events 3. If the overflow buffer fills up, the additional flows are dropped 4. In general, a Flow Collector can handle an event burst for up to 15 seconds 1. If the FPM license limit is exceeded, flows are stored temporarily in an overflow buffer. 2. Each log source has an overflow buffer for up to 100,000 events. 3. When the overflow buffer is full, extra flows are dropped. 4. The Flow Collector can handle a sudden event increase for up to 15 seconds. If the burst lasts longer than 15 seconds, flows may start getting dropped. 17 4 ‫بنية جامع األحداث‬ Search  Important dr said: maybe something missing in diagram explaine diagram Important for exam Event Collector architecture 1. Each Event Collector gathers events from local and remote sources Event Processor 2. The Event Collector normalizes events and classifies them into low- level categories and high-level categories Coalescing filter 3. Log Sources are automatically discovered after record analysis  Log sources are automatically found after the system analyzes the records. Device Support Module (DSM) Parser threads 4. The Event Collector bundles identical events to conserve system DSM normalization filter usage through a process that is known as coalescing  The Event Overflow filter Collector combines the same events to save system resources, a process (enforce license limit) called coalescing. Raw data packets received 5. Events are parsed (analyzed) by Log Source parser threads Event Collector 6. EPS license is checked Log Sources Week 3 / slide 19  18 QRadar Embedded intelligence offers automated offense identification ‫التعرف اآللي على الجريمة‬ Security devices Correlation ‫االرتباط‬ Servers and mainframes Logs/events Suspected Flows incidents IP reputation Network and virtual activity Geographic location True offense‫حقيقية‬ ‫جريمة‬ Data activity Offense identification ‫تحديد‬ ‫الجريمة‬ Application activity Secure archive Credibility Severity Configuration information Activity baselining and Relevance anomaly detection User activity Vulnerabilities and threats Database activity Application activity Users and identities Network activity Embedded intelligence Global threat intelligence 19 4 Auto-discovery of Log Sources ‫االكتشاف التلقائي لمصادر السجل‬ 1. Is an essential module for automating a successful evaluation or deployment 2. Categories traffic from devices that are unknown to the system 3. Creates a new Log Source if detection is successful on an IP address 4. Carries out detection only on event protocols that are “pushed” to the Event Collector, for example, Syslog 1. Automation Module: Automates evaluation and deployment. 2. Traffic Identification: Sorts traffic from unrecognized devices. 3. Log Source Creation: Creates a log source for newly detected devices. 4. Event Detection: Detects specific messages (e.g., syslog) sent to the Event Collector. 20 4 ‫يستخدم تحليل مصدر السجل تعيين البطاقة الشخصية‬ Log Source parsing uses QID mapping 1. The Log Source parser extracts the Log Source Event ID from the log record  Extracts the Log Source Event ID from the log record. 2. The QID (QRadar Identifier) is a unique ID that links the extracted Log Source Event ID to a QID  The QID is a unique ID that links the extracted Log Source Event ID to a related QID. 3.  Each QID number links to a custom Event Name and Event description, as well as Event severity and event category information ‫مهم‬ 4. The event category information is structured into High-Level Categories (HLC) and Low-Level Categories (LLC) every QID is linked to one of these low-level categories.  event category are organized into two levels. The first level is called High-Level Categories (HLC), which. represents general types of events The second level is called Low-Level Categories (LLC), which gives more specific details about the event within the broader category. For example, "Authentication (HLC) – Admin Login Successful (LLC)" is a category combination 21 4Events per second (EPS) burst handling ‫معالجة اندفاع األحداث في‬ ‫الثانية‬ 1. Events are temporarily stored in an overflow buffer if the EPS license is exceeded 2. Every log source protocol has an overflow buffer of 100,000 events ‫مهم‬ 3. If the overflow buffer fills up, the additional events are dropped ‫مهم‬ 4. In general, an Event Collector can handle an event burst for up to 15 seconds 1. If the EPS (Events Per Second) license limit is exceeded, events are temporarily stored in an ‫مهم‬overflow buffer. 2. Each log source has an overflow buffer for up to 100,000 events. 3. When the overflow buffer is full, extra flows are dropped. 4. The Event Collector can handle a sudden event increase for up to 15 seconds. If the burst lasts longer than 15 seconds, flows may start getting dropped. 22 Search  Important dr said 4 The main function is correlation and storage Important for exam Event Processor architecture Anomaly New host Magistrate Detection Engine or port event Every single event and flow is tested against all enabled rules in the rules engine Accumulations Accumulator Host profiling Exit filter New offenses (alerts) are created by the Magistrate (see Console) Flows Event storage filter Events If a new port or host is detected, an asset profile is updated or created Offense type analyzer in the PostgreSQL database (see Console)  If a new port or Drop (no match Custom Rules Engine (CRE) on events) device is found, a profile for it is created or updated in the Overflow filter (enforce license limit) PostgreSQL database Event sources received Events are accumulated every minute and stored in the accumulator Event Processor Ariel database  Events are collected every minute and saved in Event Processor Event Processor Event Processor Event Processor Event Collector Flow Collector the Ariel database. 23 4 Custom Rules Engine (CRE) ‫محرك القواعد المخصصة‬ 1. Every single event or flow is tested against all enabled rules; matched rules can have a response or result  Every event or flow is tested automatically based on all the active rules in the system. 2. Matched rules might trigger the creation of an offense or create a CRE event that triggers the creation of an offense  Matched rules may cause a response, create an offense, or generate a CRE event leading to an offense. ‫مهم‬ 3. Multiple matched events, flows, and matched rules might correlate into a single offense Multiple events, flows, or rules can combine into a single offense. ‫مهم‬ 4. A single event or flow can be correlated (belong) into multiple offenses (important)  A single event or flow can be part of multiple offenses. 5. By default, rules are tested against events or flows received by a single Event Processor (local rules) 6. Global Cross Correlation (GCC) allows rules testing across multiple Event Processors in the QRadar SIEM deployment  helping to analyze events from different sources together. 24 Search  Important dr said 3 ‫مهم‬ Console architecture Magistrate: gather information from all elements events and flow and then create offenses to help investigator to know the 1. The Magistrate creates and stores offenses in the reason of creation of the offenses. PostgreSQL database; these offenses are then brought to Offenses the analyst’s attention in the interface Magistrate 2. The Magistrate instructs the Ariel proxy to gather Custom Rule Engine Assets information about all events and flows that triggered the Vulnerability Anomaly creation of an offense Overflow filter Ariel Information Detection ‫محرك كشف الشذوذ‬ (enforce license limit) Proxy Server Engine 3. The Anomaly Detection Engine (ADE) searches the Event Sources received Accumulator databases for anomalies, which are then Console used for offense evaluation Ariel Host Event Processor Accumulators Event Processor Query Server Profiler 4. The Vulnerability Information Server (VIS) creates new assets or adds open ports to existing assets based on 1. Magistrate: Creates and stores offenses in the PostgreSQL database. These offenses are displayed for the analyst in the interface to get the information from the EPs analyst’s attention 25 Embedded intelligence of QRadar directs focus for investigations Suspected incidents True offense Directed forensics investigations Rapidly reduce time to resolution through intuitive forensic workflow Use intuition more than technical training Determine root cause and prevent recurrences Embedded intelligence 26 Important for exam Offense management by the Magistrate 1. Rules can correlate (links) events and flows into a single offense 2. A single event or flow can belong to multiple offenses 3. While rules are tested, they might lead to the creation of an offense 4. Pending offenses tag the events and flows as long as the rule that triggered the creation of the offense remains at least partially matched 5. A maximum of 100,000 offenses can be stored 27 Offense management by the Magistrate (cont.) (summary) The Magistrate instructs the Ariel proxy to gather information about all events and flows that triggered the creation Rule triggers the of an offense creation of an 2 offense Rules engine Magistrate (Rule xyz) 1 4 Partial matches tag the flows and 3 Offense is created with events ‫تشير التطابقات الجزئية إلى‬ Before the offense is all tags to events and ‫التدفقات واألحداث‬ created, the Magistrate flows that lead up to the queries for (make sure) all offense matching event and flow tags to be included Flows Database  Events Accumulations 28 Search  Important dr said: write in detail Important for exam Types of offenses ‫مهم‬ 1. An Open Offense that is created remains an Active Offense as long as the rules that triggered the offense creation are matched by events or flows within 30 minutes after the last match has been found; new tags of events or flows are added to the Active Offense ‫جريمة نائمة‬ 2. If an Open Offense did not find additional matches for more than 30 minutes, it becomes a Dormant Offense 3. A Dormant Offense becomes active again when additional matches are found within 5 days after the offense became dormant, and it is now called‫استدعاؤها‬ a Recalled ‫ تم‬Offense; new tags of events or flows are added to the Recalled ‫الجريمة التي‬ Offense 4. After a Dormant Offense has not received any matches within 5 days after it became dormant, it turns into an ‫جريمة غير نشطة‬ Inactive Offense ‫ إذا تمت مطابقة األحداث أو التدفقات مع مخالفة‬.6 ‫ يتم إنشاء مخالفة‬،‫غير نشطة أو مخالفة مغلقة‬ 5. Open Offenses can manually be turned into Closed Offenses ‫مفتوحة جديدة‬ 6. If events or flows are matched to an Inactive Offense or Closed Offense, a new Open Offense is created 7. A maximum of 2,500 Active Offenses and 500 Recalled Offenses are allowed 8. Closed and Inactive Offenses are subject to retention management 29 Ask the right questions Are we configured What are the major risks What security incidents What was the impact to protect against and vulnerabilities? are happening right now? to the organization? advanced threats? Vulnerability Pre-Exploit Exploit Post-Exploit Remediation PREDICTION / PREVENTION PHASE REACTION / REMEDIATION PHASE Gain visibility over the organization’s security posture Automatically detect threats with prioritized workflow to and identity security gaps quickly analyze impact Detect deviations from the norm that indicate early Gather full situational awareness through advanced warnings of APTs security analytics Prioritize vulnerabilities to optimize remediation Perform forensic investigation reducing time to find the processes and close critical exposures before exploit root cause; use results to drive faster remediation Vulnerability Risk SIEM Log Incident Manager Manager Manager Forensics 30 Which method does QRadar use to Search  Important dr said: compenents in QRadar correlate flows and events into offenses? A) Application detection IBM Security QRadar SIEM B) Signature matching Web-based command console for Security Intelligence C) Rules-based correlation D) Anomaly detection 1. Delivers actionable insight focusing Optimized threat analysis security teams on high-probability Daily volume of events, flows, incidents 2,000,000,000 incidents automatically analyzed to find 20 – 25 2. Employs rules-based correlation of events, flows, potential offenses to investigate assets, topologies, and vulnerabilities 1. Finds Real Threats: 1) Helps security teams find the most likely security threats. 3. Detects and tracks malicious activity over extended time periods, helping 2. Links Different Data with rules: Uses 1) rules-based correlation to link events, flows, assets, and vulnerabilities to spot issues. uncover advanced threats often missed 3. Detects and tracks malicious activity: 1) Monitors harmful activities by other solutions for a long time, which 2) helps find advanced threats that other tools might miss. 4. Consolidates “big data” security incidents within purpose-built, federated database repository 4. Puts all security incidents in one place: Keeps large amounts of security incident data in a special “big data”, organized database. 5. Provides anomaly detection to complement existing perimeter defenses 5. Detects Unusual Behavior: It 1) detects actions that are different from normal behavior, 2) helping to strengthen security by catching 6. Calculates identity and application baseline profiles to activities that seem Unusual activities. assess abnormal conditions 6. Knows what's normal for users and apps: 1) Understands regular behavior of users and applications to spot anything unusual. 31 Search  Important dr said: compenents in QRadar ® IBM Security QRadar Vulnerability Manager  Scan, assess, and remediate vulnerabilities ‫مسح وتقييم ومعالجة الثغرات األمنية‬  Contains an embedded, well-proven, scalable, analyst- recognized, PCI-certified scanner  Detects 70,000+ vulnerabilities  Tracks National Vulnerability Database (CVE)  Is present in all log and flow collectors and processors QRadar  Integrates with IBM Security Endpoint Manager (BigFix) to reveal which vulnerabilities will be patched and when  Leverages QRadar Risk Manager to report which vulnerabilities are blocked by your IPS and FW  Uses QFlow report if a vulnerable application is active  Presents a prioritized list of vulnerabilities you should deal with as soon as possible 32 Search  Important dr said: compenents in QRadar ® IBM Security QRadar Risk Manager  Scan, assess, and remediate risks 1. Network topology model based on security device configurations enables visualization of actual and potential network traffic patterns 1. Visualizes network traffic patterns: Uses security 2. Policy engine network correlates to device configurations topology, show actual and potential network asset vulnerabilities traffic flows. and configuration, and actual network traffic to quantify and 2. Correlates prioritize and prioritizes risk, enabling risk: Combines network risk-prioritized topology, asset vulnerabilities, configuration, and traffic to remediation andand quantify compliance checking, prioritize risks, enabling fixes, compliance ‫القياس الكمي لمخاطر‬ alerting,checks, and reporting alerts, and reports. 1. Asset risk quantification ‫األصول‬ ‫تحديد أولويات المعالجة‬ 2. Remediation prioritization 3. Centralizes networknetwork 3. Centralizes security device security device configurations: ‫طوبولوجيا الشبكة‬ configuration data and discovers 3. Network topology 1)Collects data, 2) finds configuration errors, and 3) ‫مراقبة السياسات واالمتثال‬ configuration errors; monitors rule activity.firewall rule firewallmonitors 4. Policy and compliance ‫ محاكاة التهديدات‬.1 activity monitoring 4. Models threat propagation and simulates network 5. Threat simulations 4. Models topology threat propagation and simulates changes: 1) simulates how threats spread and tests the changes network2)topology impact of changes in the network structure. 33 1.Speeds up incident investigation: Reduces time Search  Important dr said: compenents in QRadar from days/hours to minutes. ® IBM Security QRadar Incident Forensics 2.Utilizes search engine technology: gaps for security teams. IncidentCloses skill Forensics  Intuitive investigation of security incidents 3.Collects evidence of malicious activity: collects evidence of breaches and data theft. 1. Reduces incident investigation periods from 4.Creates visual content representations: days or hours to minutes Generates detailed visualizations for analysis. 2. Employs Internet search engine technology  to close 5.Identifies root causes of breaches: Helps prevent or reduce recurring incidents. security team skill gaps 6.Enhances SIEM data with full packet captures: 3. Compiles (collecting) evidence against Adds comprehensive information for security analytics. malicious entities breaching secure systems and deleting or stealing sensitive data 4. Creates rich “digital impression” visualizations of related content 5. Helps determine the root cause of successful breaches to prevent or reduce repetition 6. Adds full packet captures to complement SIEM security data collection and analytics Wins the race against time 34 Benefits of IBM Security Intelligence approach Holistic IT security management and integration with infrastructure and processes Use tools and solutions that know how to communicate with each other Integrate with centralized vulnerability management Pro-active IT security management Detect and counteract the threat before the actual exploit Network flow analysis and forensics Collect data that no attacker can obfuscate (network flow) and store application data for more detailed forensic investigations Risk assessment support through network topology awareness in combination with vulnerability information Investigate potential risks due to network topology and vulnerabilities Focus on the “important and valuable” assets that need protection and do not flood the Security Intelligence system with useless data 35 Summary The contents covered this week are summarized here, Understand the IT architecture of an organization Understand where the security intelligence fits in the bigger picture for an organization List and understand the functional components of IBM QRadar 36

Use Quizgecko on...
Browser
Browser