From Dark Arts to Common Practice with QRadar Incident Forensics
-
Upload
ibm-security -
Category
Technology
-
view
815 -
download
2
Transcript of From Dark Arts to Common Practice with QRadar Incident Forensics
© 2015 IBM Corporation
From Dark Arts to Common Practice with QRadar Incident ForensicsVijay Dheap, Global Product Manager
Security Intelligence …a Primer
IBM
Confi
denti
Log Data
To gain awareness of the current state of an organization’s security posture requires data
The richness of the data and the analysis performed on that data yields Security Intelligence
Log MgmtAnalysis of
individual systems
1st Gen SIEMAnalysis of interconnected
systems – data correlation
Flow Data
2nd Gen SIEMAnalysis of processes – advanced
data correlation, rule engine
Vulnerability
Data/External Threat
Feeds
Modern Security Intelligence PlatformAnalysis of processes – advanced data correlation, vulnerability
management, in-built analytics including advanced flow analytics,
investigative analysis, relationship analysis
Full Packet Capture/
External Data
Cyber ForensicsIncident Investigation, investigative
analysis, relationship analysis
Defining Cyber Forensics and its Business Value
IBM
Confi
denti
al
Cyber Forensics is an investigative analysis of rich content – full packet capture, documents
and other assets – to reveal the presence, nature, extent and impact of a cyber threat.
Employed when metadata analysis (i.e. logs, flows) alone is insufficient to identify,
comprehend, thwart and recover from the cyber threat
Proactive formulation
of best practices
Forensics analysis of several
cases can inform the
development of new threat
detection methods
Enhance capacity to
identify breaches
Content level analysis can detect
new attack techniques or reveal
previously compromised systems
Mitigate risk of becoming
repeat victim
Forensics enables assessing the full
scope of an impact or breach to close
gaps in the security posture
Shorten time to remediate
an incident
Forensics analysis pinpoints the source,
identifies the targets, and reveals the
methods
Detect deviations and
Assess Risk
Forensics analysis can highlight
protocol deviations and be used to
verify impact from attacks identified
by third parties
Exploit Remediation
REACTION / REMEDIATION PHASE
Post-ExploitVulnerability Pre-Exploit
PREDICTION / PREVENTION PHASE
Business Value throughout the life-cycle of a cyber threat
The Forensics Challenge
IBM
Confi
denti
Cyber Forensics holds potential, however organizations face several challenges in getting started…
Large data volumes can
inhibit identification of
relevant informationLarge data volumes also
makes forensics time and
resource intensive
Forensics either requires learning
multiple discrete tools or solutions
that require steep learning curves
Operational Hurdles
Management & Cost
To progress forensics from an ad hoc
exercise into a practice there needs
to be accountability & oversight
Data storage has to be flexible,
scalable and cost-efficient
Find the perpetrator, identify collaborators,
pinpoint the systems compromised and document
any data losses
Insider Threat Analysis
Uncover sophisticated schemes involving seemingly
disparate interactions, pinpoint activities that evade
controls/protocols, and halt fraudulent transactions
Fraud and Abuse
Assess exposure to third-party issued security
bulletins, compile threat evidence, analyze
malicious/risky activity, and refine best practices
Evidence Gathering
Network Security
Detect and thoroughly investigate malicious activities
targeting critical assets, uncover the motivations and
develop an understanding of the full scope of the risk
Data ExfiltrationPatient Zero Compromised Systems
Misuse of AccessCollusion Sabotage
Protocol DeviationsUnauthorized Transactions Unsanctioned Allocation of Resources
Refining Best PracticesRisk Assessment Quantifying Confidence in Threat Detection
Scenarios Forensics Can Be Applied To…
QRadar Incident Forensics Differentiation
From NetFlow to QFlow to …QRadar Incident Forensics
Internet/
intranet
packet
Netflow: packet oriented, identifies
unidirectional sequences sharing source and
destination IPs, ports, and type of service
Internet/
intranet
QFlow: packet oriented, identifies bi-directional
sequences aggregated into sessions, also
identifies applications by capturing the
beginning of a flow.
Internet/
intranet
Competitive solutions: session oriented, some
only capture a subset of each flow and index
only the metadata—not the payload.
Internet/
intranet
QRadar Incident Forensics: session
oriented, captures all packets in a flow
indexing the metadata and payload to
enable fast search driven data exploration
QRadar Incident Forensics Differentiators
IBM
Confi
denti
Delivers Intelligence Digital Impressions: Reveals Entity-to-Entity relationships including direction & strength Suspect Content Detection: Highlights suspicious content to guide investigation Content Categorization: Filters out the noise to direct focus on pertinent content
Powerful Forensics Analysis Free-form search: Simple user experience. Powerful, fast search across all content Visualizations: Displays entity-to-entity relationships through various perspectives Timeline: Displays activity in chronological order to retrace threat sequence Full content reconstruction: Rebuilds documents and other assets in their natural form Dynamic Data Pivoting: Enables rapid navigation across data sets
Super Efficient, Scalable Storage Supports two-tier data retention policies Virtual Storage Expansion: Raw full packet capture can be retained for longer duration
Foundation for Accountability & Oversight Case Delegation: Assignment of forensics investigations to analysts
Decrypted
Packets
QRIF Offers Comprehensive Support for Encrypted Traffic
Metadata Inspection
Decryption Support with a Trusted Man-in-the-Middle
On-Demand Decryption without Trusted Man-in-the-Middle
QRIF
Encrypted
Packets
Traffic Metadata
Encrypted Content
Encrypted
Traffic
SSL
Proxy
Encrypted
Traffic
Q
PCAP
QRIFQ
PCAP
QRIF
Encrypted
Packets
Q
PCAP
Session Keys/
Private keys
Decrypted Content
Traffic Metadata
Decrypted Content
Traffic Metadata
Characterize any encrypted traffic, to extract
metadata about the traffic: certificates,
actors, length/size etc.
Seamlessly integrate with any
SSL Proxy solution and we
have pre-integrated
configurations with A10
Networks to provide a
complete decryption solution.
Capability to decrypt any encrypted ingress
traffic when supplied with the private key as
well as decrypt any encrypted ingress or
egress traffic if supplied with the session keys
Merging Network Forensics with Data Forensics
QRadarPacket Capture
Other Content (i.e. Documents)
QRadarIncident
Forensics
A standardized Data Import Solution to enable
streaming or batch ingest of
• Packet Data
• Open Source Data
• Externally available data: Twitter feeds,
Facebook updates etc
• Unstructured data
• Documents: Microsoft, .RTF, .PDF, Audio,
Video……
• Structured data
• XML
• Incorporates Structured Fields for Search:
Timestamps, Protocol Data, etc.
Enables Customers to Cross Correlate
•Data-At-Rest with Data-In-Motion
•Structured with Unstructured
QRadar Incident Forensics Deployment Model
Security Intelligence Platform
QRadar
Security Intelligence
ConsoleSeamlessly integrated, single UI
Includes new ‘Forensics’ dashboard tab
Supports incident investigation workflowQRadar
Incident Forensics
Module(s) Hardware, software, virtual
appliance
Supports standard PCAP format
Retrieves PCAPs for an incident and reconstructs sessions for forensics
QRadar
Packet Capture
Appliances Performs Full
Packet Capture
Optimized appliance solution
Scalable storage
QRadar Incident Forensics Benefits
IBM Confidential
Speed & Enhanced Productivity Finding pertinent information Identifying the actors Pinpointing suspicious content Recognizing anomalous behavior
Cost Efficiency Minimizes spend on storage Minimizes investment in specialized skills & training Avoids expenditures on disparate tools
Deployment Flexibility Standalone Mode Integrated with broader QRadar platform Scalable to multiple sites
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.