From Dark Arts to Common Practice with QRadar Incident Forensics

15
© 2015 IBM Corporation From Dark Arts to Common Practice with QRadar Incident Forensics Vijay Dheap, Global Product Manager

Transcript of From Dark Arts to Common Practice with QRadar Incident Forensics

Page 1: From Dark Arts to Common Practice with QRadar Incident Forensics

© 2015 IBM Corporation

From Dark Arts to Common Practice with QRadar Incident ForensicsVijay Dheap, Global Product Manager

Page 2: From Dark Arts to Common Practice with QRadar Incident Forensics

Security Intelligence …a Primer

IBM

Confi

denti

Log Data

To gain awareness of the current state of an organization’s security posture requires data

The richness of the data and the analysis performed on that data yields Security Intelligence

Log MgmtAnalysis of

individual systems

1st Gen SIEMAnalysis of interconnected

systems – data correlation

Flow Data

2nd Gen SIEMAnalysis of processes – advanced

data correlation, rule engine

Vulnerability

Data/External Threat

Feeds

Modern Security Intelligence PlatformAnalysis of processes – advanced data correlation, vulnerability

management, in-built analytics including advanced flow analytics,

investigative analysis, relationship analysis

Full Packet Capture/

External Data

Cyber ForensicsIncident Investigation, investigative

analysis, relationship analysis

Page 3: From Dark Arts to Common Practice with QRadar Incident Forensics

Defining Cyber Forensics and its Business Value

IBM

Confi

denti

al

Cyber Forensics is an investigative analysis of rich content – full packet capture, documents

and other assets – to reveal the presence, nature, extent and impact of a cyber threat.

Employed when metadata analysis (i.e. logs, flows) alone is insufficient to identify,

comprehend, thwart and recover from the cyber threat

Proactive formulation

of best practices

Forensics analysis of several

cases can inform the

development of new threat

detection methods

Enhance capacity to

identify breaches

Content level analysis can detect

new attack techniques or reveal

previously compromised systems

Mitigate risk of becoming

repeat victim

Forensics enables assessing the full

scope of an impact or breach to close

gaps in the security posture

Shorten time to remediate

an incident

Forensics analysis pinpoints the source,

identifies the targets, and reveals the

methods

Detect deviations and

Assess Risk

Forensics analysis can highlight

protocol deviations and be used to

verify impact from attacks identified

by third parties

Exploit Remediation

REACTION / REMEDIATION PHASE

Post-ExploitVulnerability Pre-Exploit

PREDICTION / PREVENTION PHASE

Business Value throughout the life-cycle of a cyber threat

Page 4: From Dark Arts to Common Practice with QRadar Incident Forensics

The Forensics Challenge

IBM

Confi

denti

Cyber Forensics holds potential, however organizations face several challenges in getting started…

Large data volumes can

inhibit identification of

relevant informationLarge data volumes also

makes forensics time and

resource intensive

Forensics either requires learning

multiple discrete tools or solutions

that require steep learning curves

Operational Hurdles

Management & Cost

To progress forensics from an ad hoc

exercise into a practice there needs

to be accountability & oversight

Data storage has to be flexible,

scalable and cost-efficient

Page 5: From Dark Arts to Common Practice with QRadar Incident Forensics

Find the perpetrator, identify collaborators,

pinpoint the systems compromised and document

any data losses

Insider Threat Analysis

Uncover sophisticated schemes involving seemingly

disparate interactions, pinpoint activities that evade

controls/protocols, and halt fraudulent transactions

Fraud and Abuse

Assess exposure to third-party issued security

bulletins, compile threat evidence, analyze

malicious/risky activity, and refine best practices

Evidence Gathering

Network Security

Detect and thoroughly investigate malicious activities

targeting critical assets, uncover the motivations and

develop an understanding of the full scope of the risk

Data ExfiltrationPatient Zero Compromised Systems

Misuse of AccessCollusion Sabotage

Protocol DeviationsUnauthorized Transactions Unsanctioned Allocation of Resources

Refining Best PracticesRisk Assessment Quantifying Confidence in Threat Detection

Scenarios Forensics Can Be Applied To…

Page 6: From Dark Arts to Common Practice with QRadar Incident Forensics

QRadar Incident Forensics Differentiation

Page 7: From Dark Arts to Common Practice with QRadar Incident Forensics

From NetFlow to QFlow to …QRadar Incident Forensics

Internet/

intranet

packet

Netflow: packet oriented, identifies

unidirectional sequences sharing source and

destination IPs, ports, and type of service

Internet/

intranet

QFlow: packet oriented, identifies bi-directional

sequences aggregated into sessions, also

identifies applications by capturing the

beginning of a flow.

Internet/

intranet

Competitive solutions: session oriented, some

only capture a subset of each flow and index

only the metadata—not the payload.

Internet/

intranet

QRadar Incident Forensics: session

oriented, captures all packets in a flow

indexing the metadata and payload to

enable fast search driven data exploration

Page 8: From Dark Arts to Common Practice with QRadar Incident Forensics

QRadar Incident Forensics Differentiators

IBM

Confi

denti

Delivers Intelligence Digital Impressions: Reveals Entity-to-Entity relationships including direction & strength Suspect Content Detection: Highlights suspicious content to guide investigation Content Categorization: Filters out the noise to direct focus on pertinent content

Powerful Forensics Analysis Free-form search: Simple user experience. Powerful, fast search across all content Visualizations: Displays entity-to-entity relationships through various perspectives Timeline: Displays activity in chronological order to retrace threat sequence Full content reconstruction: Rebuilds documents and other assets in their natural form Dynamic Data Pivoting: Enables rapid navigation across data sets

Super Efficient, Scalable Storage Supports two-tier data retention policies Virtual Storage Expansion: Raw full packet capture can be retained for longer duration

Foundation for Accountability & Oversight Case Delegation: Assignment of forensics investigations to analysts

Page 9: From Dark Arts to Common Practice with QRadar Incident Forensics

Decrypted

Packets

QRIF Offers Comprehensive Support for Encrypted Traffic

Metadata Inspection

Decryption Support with a Trusted Man-in-the-Middle

On-Demand Decryption without Trusted Man-in-the-Middle

QRIF

Encrypted

Packets

Traffic Metadata

Encrypted Content

Encrypted

Traffic

SSL

Proxy

Encrypted

Traffic

Q

PCAP

QRIFQ

PCAP

QRIF

Encrypted

Packets

Q

PCAP

Session Keys/

Private keys

Decrypted Content

Traffic Metadata

Decrypted Content

Traffic Metadata

Characterize any encrypted traffic, to extract

metadata about the traffic: certificates,

actors, length/size etc.

Seamlessly integrate with any

SSL Proxy solution and we

have pre-integrated

configurations with A10

Networks to provide a

complete decryption solution.

Capability to decrypt any encrypted ingress

traffic when supplied with the private key as

well as decrypt any encrypted ingress or

egress traffic if supplied with the session keys

Page 10: From Dark Arts to Common Practice with QRadar Incident Forensics

Merging Network Forensics with Data Forensics

QRadarPacket Capture

Other Content (i.e. Documents)

QRadarIncident

Forensics

A standardized Data Import Solution to enable

streaming or batch ingest of

• Packet Data

• Open Source Data

• Externally available data: Twitter feeds,

Facebook updates etc

• Unstructured data

• Documents: Microsoft, .RTF, .PDF, Audio,

Video……

• Structured data

• XML

• Incorporates Structured Fields for Search:

Timestamps, Protocol Data, etc.

Enables Customers to Cross Correlate

•Data-At-Rest with Data-In-Motion

•Structured with Unstructured

Page 11: From Dark Arts to Common Practice with QRadar Incident Forensics

QRadar Incident Forensics Deployment Model

Security Intelligence Platform

QRadar

Security Intelligence

ConsoleSeamlessly integrated, single UI

Includes new ‘Forensics’ dashboard tab

Supports incident investigation workflowQRadar

Incident Forensics

Module(s) Hardware, software, virtual

appliance

Supports standard PCAP format

Retrieves PCAPs for an incident and reconstructs sessions for forensics

QRadar

Packet Capture

Appliances Performs Full

Packet Capture

Optimized appliance solution

Scalable storage

Page 12: From Dark Arts to Common Practice with QRadar Incident Forensics

QRadar Incident Forensics Benefits

IBM Confidential

Speed & Enhanced Productivity Finding pertinent information Identifying the actors Pinpointing suspicious content Recognizing anomalous behavior

Cost Efficiency Minimizes spend on storage Minimizes investment in specialized skills & training Avoids expenditures on disparate tools

Deployment Flexibility Standalone Mode Integrated with broader QRadar platform Scalable to multiple sites

Page 13: From Dark Arts to Common Practice with QRadar Incident Forensics

Notices and Disclaimers

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or

transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with

IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been

reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM

shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,

EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF

THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT

OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the

agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without

notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are

presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual

performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,

programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not

necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither

intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal

counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s

business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or

represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Page 14: From Dark Arts to Common Practice with QRadar Incident Forensics

Notices and Disclaimers (con’t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published

announcements or other publicly available sources. IBM has not tested those products in connection with this

publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM

products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to

interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any

IBM patents, copyrights, trademarks or other intellectual property right.

• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document

Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,

ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,

PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,

pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,

urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of

International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and

service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on

the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Page 15: From Dark Arts to Common Practice with QRadar Incident Forensics

Thank YouYour Feedback is

Important!

Access the InterConnect 2015

Conference CONNECT Attendee

Portal to complete your session

surveys from your smartphone,

laptop or conference kiosk.