Leitstand für Ihre IT-Sicherheit IBM Security Intelligence
Leitstand für Ihre IT-Sicherheit IBM Security Intelligence
Leitstand für Ihre IT-Sicherheit IBM Security Intelligence
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>Leitstand</strong> <strong>für</strong> <strong>Ihre</strong> <strong>IT</strong>-<strong>Sicherheit</strong><br />
<strong>IBM</strong> <strong>Security</strong> <strong>Intelligence</strong><br />
1 © 2013 <strong>IBM</strong> Corporation<br />
© 2012 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Zielgerichtete Angriffe erschüttern Unternehmen und Behörden<br />
2<br />
Source: <strong>IBM</strong> X-Force® 2011 Trend and Risk Report<br />
© 2013 <strong>IBM</strong> Corporation<br />
JK 2012-04-26
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>IBM</strong> hat beispiellose Erfahrung und globale Abdeckung in <strong>Security</strong><br />
3<br />
<strong>Security</strong> Operations Centers<br />
<strong>Security</strong> Research Centers<br />
<strong>Security</strong> Solution Development Centers<br />
Institute for Advanced <strong>Security</strong> Branches<br />
<strong>IBM</strong> Research<br />
World Wide Managed<br />
<strong>Security</strong> Services Coverage<br />
§ 20,000+ devices under contract<br />
§ 3,700+ MSS clients worldwide<br />
§ 9B+ events managed per day<br />
§ 1,000+ security patents<br />
§ 133 monitored countries (MSS)<br />
© 2013 <strong>IBM</strong> Corporation
4<br />
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>IBM</strong> <strong>Security</strong> Systems Portfolio<br />
QRadar<br />
SIEM<br />
<strong>IBM</strong> <strong>Security</strong> Portfolio<br />
<strong>IT</strong> Infrastruktur – Operational <strong>Security</strong> Domains<br />
Personen Daten Anwendungen Infrastruktur<br />
Netzwerk Endpoint<br />
Identity & Access<br />
Management Suite<br />
Federated<br />
Identity Manager<br />
Enterprise<br />
Single Sign-On<br />
Identity Assessment,<br />
Deployment and<br />
Hosting Services<br />
QRadar<br />
Log Manager<br />
Guardium<br />
Database <strong>Security</strong><br />
InfoSphere Optim<br />
Data Masking<br />
Key Lifecycle<br />
Manager<br />
Enterprise Governance, Risk and Compliance Management<br />
GRC Plattform (OpenPages) Risk Analytics (Algorithmics) Investigation Management (i2)<br />
Produkte Services<br />
Data <strong>Security</strong><br />
Assessment Service<br />
Encryption and<br />
DLP Deployment<br />
<strong>Security</strong> <strong>Intelligence</strong>, Analytics and GRC<br />
QRadar<br />
Risk Manager<br />
AppScan Source &<br />
Standard Edition<br />
DataPower<br />
<strong>Security</strong> Gateway<br />
<strong>Security</strong><br />
Policy Manager<br />
Application<br />
Assessment Service<br />
AppScan OnDemand<br />
Software as a Service<br />
<strong>IBM</strong> Privacy, Audit and<br />
Compliance Assessment Services<br />
Network<br />
Intrusion Prevention<br />
SiteProtector<br />
Management System<br />
QRadar Anomaly<br />
Detection / QFlow<br />
Managed Firewall,<br />
Unified Threat and<br />
Intrusion Prevention<br />
Services<br />
Endpoint<br />
Manager (BigFix)<br />
Virtualization and<br />
Server <strong>Security</strong><br />
Mainframe <strong>Security</strong><br />
(zSecure, RACF)<br />
Penetration<br />
Testing Services<br />
Mobile Device<br />
Management<br />
<strong>Security</strong><br />
Consulting<br />
Managed<br />
Services<br />
X-Force<br />
and <strong>IBM</strong><br />
Research<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Heutige <strong>Sicherheit</strong>sherausforderungen<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
5<br />
Erkennen von Bedrohungen<br />
• Ausrüsten mit umfangreicher <strong>Security</strong> <strong>Intelligence</strong><br />
Konsolidieren von Datensilos<br />
• Sammeln, Korrelieren und Berichten von Informationen<br />
in einer integrierten Lösung<br />
Erkennen von Betrug durch Insider<br />
• Nächste Generation von SIEM mit Identity Korrelation<br />
Bessere Risikovorhersage <strong>für</strong> Unternehmen<br />
• Vollständiges Compliance- und Risikomanagement <strong>für</strong><br />
Netzwerk und <strong>Sicherheit</strong>sinfrastruktur<br />
Abdecken regulatorischer Anforderungen<br />
• Automatische Sammlung von Daten und Erzeugung von<br />
Audit-Reports<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Solving Customer Challenges<br />
6<br />
Major<br />
Electric<br />
Utility<br />
Fortune 5<br />
Energy<br />
Company<br />
Branded<br />
Apparel<br />
Maker<br />
$100B<br />
Diversified<br />
Corporation<br />
Industrial<br />
Distributor<br />
Detecting threats<br />
Consolidating data silos<br />
Detecting insider fraud<br />
Predicting risks against<br />
your business<br />
Addressing regulatory<br />
mandates<br />
• Discovered 500 hosts with “Here You<br />
Have” virus, which other solutions missed<br />
• 2 Billion logs and events per day reduced<br />
to 25 high priority offenses<br />
• Trusted insider stealing and destroying<br />
key data<br />
• Automating the policy monitoring and<br />
evaluation process for configuration<br />
change in the infrastructure<br />
• Real-time extensive monitoring of<br />
network activity, in addition to PCI<br />
mandates<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Compliance Management und effektives <strong>Security</strong> Management<br />
7<br />
What are the external<br />
and internal threats?<br />
Are we configured<br />
to protect against<br />
these threats?<br />
Prediction & Prevention Reaction & Remediation<br />
Risk Management. Vulnerability Management.<br />
Configuration Monitoring. Patch Management.<br />
X-Force Research and Threat <strong>Intelligence</strong>.<br />
Compliance Management. Reporting and Scorecards.<br />
What is<br />
happening<br />
right now?<br />
What was the<br />
impact?<br />
SIEM. Log Management. Incident Response.<br />
Network and Host Intrusion Prevention.<br />
Network Anomaly Detection. Packet Forensics.<br />
Database Activity Monitoring. Data Loss Prevention.<br />
© 2013 <strong>IBM</strong> Corporation
8<br />
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Korrelation <strong>für</strong> den Blick auf das Wesentliche<br />
<strong>Security</strong> Devices<br />
Servers & Mainframes<br />
Network & Virtual Activity<br />
Data Activity<br />
Application Activity<br />
Configuration Info<br />
Vulnerability & Threat<br />
Users & Identities<br />
Extensive Data<br />
Sources<br />
Event Correlation<br />
• Logs<br />
• Flows<br />
• IP Reputation<br />
• Geo Location<br />
Activity Baselining & Anomaly<br />
Detection<br />
• User Activity<br />
• Database Activity<br />
• Application Activity<br />
• Network Activity<br />
Deep<br />
+<br />
<strong>Intelligence</strong><br />
=<br />
True Offense<br />
Offense Identification<br />
• Credibility<br />
• Severity<br />
• Relevance<br />
Suspected Incidents<br />
Exceptionally Accurate and<br />
Actionable Insight<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>Security</strong> <strong>Intelligence</strong> Bausteine<br />
9<br />
Log<br />
Management<br />
SIEM<br />
Configuration<br />
& Vulnerability<br />
Management<br />
Network<br />
Activity &<br />
Anomaly<br />
Detection<br />
Network and<br />
Application<br />
Visibility<br />
• Turn-key log management and reporting<br />
• SME to Enterprise<br />
• Upgradeable to enterprise SIEM<br />
• Log, flow, vulnerability & identity correlation<br />
• Sophisticated asset profiling<br />
• Offense management and workflow<br />
• Network security configuration monitoring<br />
• Vulnerability prioritization<br />
• Predictive threat modeling & simulation<br />
• Network analytics<br />
• Behavioral anomaly detection<br />
• Fully integrated in SIEM<br />
• Layer 7 application monitoring<br />
• Content capture for deep insight & forensics<br />
• Physical and virtual environments<br />
© 2013 <strong>IBM</strong> Corporation
10<br />
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>Security</strong> <strong>Intelligence</strong> – Management aus einer Konsole<br />
Log<br />
Management<br />
SIEM<br />
Configuration<br />
& Vulnerability<br />
Management<br />
Network<br />
Activity &<br />
Anomaly<br />
Detection<br />
Network and<br />
Application<br />
Visibility<br />
• Turn-key log management and reporting<br />
• SME to Enterprise<br />
• Upgradeable to enterprise SIEM<br />
One Console <strong>Security</strong><br />
• Log, flow, vulnerability & identity correlation<br />
• Sophisticated asset profiling<br />
• Offense management and workflow<br />
• Network security configuration monitoring<br />
• Vulnerability prioritization<br />
• Predictive threat modeling & simulation<br />
• Network analytics<br />
• Behavioral anomaly detection<br />
• Fully integrated in SIEM<br />
• Layer 7 application monitoring<br />
• Content capture for deep insight & forensics<br />
• Physical and virtual environments<br />
Built on a Single Data Architecture<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Qradar: Intelligenz, Integration, Automation<br />
11<br />
• Bridges silos<br />
• Highly scalable<br />
• Flexible & adaptable<br />
• Proactive threat management<br />
• Identifies critical anomalies<br />
• Rapid, extensive impact analysis<br />
• Easy deployment<br />
• Rapid time to value<br />
• Operational efficiency<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Herausforderung 1: Erkennen von Angriffen<br />
12<br />
Möglicher Botnet erkannt?<br />
Das ist was traditionelle SIEM<br />
Lösungen können<br />
IRC auf Port 80?<br />
<strong>IBM</strong> <strong>Security</strong> QRadar QFlow<br />
entdeckt versteckten Kanal<br />
Unwiderlegbare Botnet<br />
Kommunikation<br />
Layer 7 Flow Data enthält Botnet<br />
Command Control Kommandos<br />
Application Layer Flow Analyse entdeckt Bedrohungen,<br />
die andere übersehen<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Herausforderung 2: Konsolidierung von Datensilos<br />
13<br />
Data Reduction Ratio<br />
Hoch entwickelte<br />
Korrelation zwischen Silos<br />
1153571 : 1<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
Analyse von Flow- und<br />
Event-Daten. Nur <strong>IBM</strong><br />
<strong>Security</strong> QRadar nutzt<br />
vollständig Layer 7<br />
Flows<br />
Reduzierung von<br />
großen Datenmengen<br />
auf handhabbare Größe<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Herausforderung 3: Erkennen von Betrug durch Insider<br />
14<br />
Möglicher Datenverlust<br />
Wer? Was? Wo?<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
Wer?<br />
Ein interner Nutzer<br />
Was?<br />
Oracle Daten<br />
Wo?<br />
Gmail<br />
Erkennung von Bedrohungen im Intranet<br />
Erkennung von abnormalen Nutzerverhalten und Sichtbarkeit auf<br />
Anwendungsebene sind kritisch um Bedrohungen von Insidern zu<br />
identifizieren<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Herausforderung 4: Bessere Risikovorhersage <strong>für</strong> Unternehmen<br />
15<br />
Bewerten von Systemen mit hohem Risiko von Angriffen wegen Schwachstellen<br />
Was sind die Details?<br />
Schwachstellendetails,<br />
sortiert nach Risiko<br />
Wie beseitige ich die<br />
Schwachstellen?<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
Welche Systeme sind betroffen?<br />
Wie soll ich sie priorisieren?<br />
<strong>Security</strong> <strong>Intelligence</strong> vor dem Angriff<br />
Überwachung des Netzwerks auf Konfiguration- und Compliance-Risiken<br />
und Priorisierung <strong>für</strong> ihre Entschärfung<br />
© 2013 <strong>IBM</strong> Corporation
16<br />
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
Herausforderung 5: Abdecken regulatorischer Anforderungen<br />
Unverschlüsselter Transfer<br />
<strong>IBM</strong> <strong>Security</strong> QRadar QFlow sieht einen Klartextdienst auf einem Accounting Server<br />
PCI Anforderung 4 sagt: Verschlüsselung bei der Übertragung von Karteninhaberdaten<br />
über offene, öffentliche Netze<br />
Vereinfachung von Compliance<br />
Out-of-the-box Unterstützung <strong>für</strong> wichtige Compliance Standards<br />
Automatisierte Berichte, vordefinierte Korrelationsregeln, Dashboards<br />
Einhaltung der PCI<br />
Compliance?<br />
Real-time Erkennung<br />
möglicher Verletzungen<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>IBM</strong> unterstützt Organisationen <strong>Security</strong> <strong>Intelligence</strong> einzuführen<br />
Basic<br />
Organisationen<br />
verwenden Perimeter<br />
Protection, welche den<br />
Zugriff reguliert und<br />
manuelles Reporting<br />
unterstützt<br />
17<br />
Automatisiert<br />
Manuell<br />
Reaktiv<br />
Proaktiv<br />
Optimized<br />
Organisationen nutzen<br />
vorhersagende und<br />
automatisierte<br />
<strong>Sicherheit</strong>sanalysen<br />
Proficient<br />
<strong>Sicherheit</strong> ist<br />
enthalten in<br />
<strong>IT</strong> Infrastructure<br />
und Business<br />
Operations<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>Security</strong> <strong>Intelligence</strong> ermöglicht den Aufbau einer optimalen<br />
<strong>Sicherheit</strong><br />
<strong>Security</strong><br />
<strong>Intelligence</strong><br />
18<br />
Optimized<br />
Proficient<br />
Basic<br />
Personen Daten Anwendungen Infrastruktur<br />
Rollenbasierte<br />
Analysen<br />
Kontrollen <strong>für</strong><br />
privilegierte Nutzer<br />
Identitäts-<br />
management<br />
Starke<br />
Authentifizierung<br />
Zentraler<br />
Verzeichnisdienst<br />
Verwaltung der<br />
Kennwörter<br />
Datenflussanalytik<br />
Datenverwaltung<br />
Aktivitätsüberwachung<br />
Vorbeugung vor<br />
Datenverlust<br />
Verschlüsselung<br />
Zugriffskontrolle<br />
Sichere<br />
Anwendungsentwicklung<br />
Betrugserkennung<br />
Anwendungs-<br />
Firewall<br />
Quellcodeanalyse<br />
Schwachstellen-<br />
Scan<br />
Erweiterte<br />
Netzwerküberwachung<br />
/<br />
-forensik<br />
Sichere Systeme<br />
Mobile Endgeräte<br />
Asset<br />
Management<br />
Endpoint /<br />
Netzwerk<br />
<strong>Sicherheit</strong>smanagement<br />
Perimeter <strong>Security</strong><br />
Anti-Virus<br />
<strong>Security</strong><br />
<strong>Intelligence</strong><br />
Hochentwickelte<br />
Gefahrenerkennung<br />
Erkennung von<br />
Netzwerkanomalien<br />
Vorhersagendes<br />
Risikomanagement<br />
Real-time Event<br />
Korrelation<br />
SIEM<br />
Netzwerk-<br />
forensik<br />
Log Management<br />
Compliance<br />
Reporting<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
<strong>Security</strong> <strong>Intelligence</strong> Lösungen<br />
Lösung Beschreibung<br />
<strong>IBM</strong> <strong>Security</strong> QRadar SIEM<br />
<strong>IBM</strong> <strong>Security</strong> QRadar Log<br />
Manager<br />
<strong>IBM</strong> <strong>Security</strong> QRadar QFlow<br />
<strong>IBM</strong> <strong>Security</strong> QRadar VFlow<br />
<strong>IBM</strong> <strong>Security</strong> QRadar Risk<br />
Manager<br />
19<br />
<strong>Security</strong> <strong>Intelligence</strong><br />
QRadar SIEM bietet umfassende Sichtbarkeit und nachverfolgbare Einblicke,<br />
um beim Schutz von Netzwerken und <strong>IT</strong> Systemen gegen eine Vielzahl<br />
aktueller Bedrohungen zu helfen. Es hilft Einbrüche schneller zu erkennen<br />
und zu korrigieren, Compliance-Anforderungen umzusetzen und die Effizenz<br />
der <strong>Security</strong> Operation zu verbessern.<br />
QRadar Log Manager sammelt, archiviert, analysiert und berichtet Events in<br />
einem verteilten Netzwerk. Es unterstützt bei der Einhaltung von Compliance-<br />
Regularien und reduziert damit verbundene manuelle Aktivitäten.<br />
QRadar QFlow ergänzt QRadar SIEM in dem es die Sicht auf die<br />
Dateninhalte liefert. Es sammelt Layer 7 Flow Daten per "Deep Packet<br />
Inspection" und ermöglicht dadurch weitreichende Erkennung von Angriffen<br />
durch Analyse der Paketinhalte.<br />
QRadar VFlow liefert Sichtbarkeit in den Inhalt von Daten in virtuellen<br />
Netzwerke, ergänzt damit QRadar SIEM und bietet vergleichbare<br />
Funktionalität wie QRadar QFlow aber <strong>für</strong> virtuelle Umgebungen.<br />
QRadar Risk Manager identifiziert und reduziert <strong>Sicherheit</strong>srisiken durch die<br />
Überwacung von Systemkonfigurationen, Priorisierung von Schwachstellen<br />
und Simulation von Angriffen. Es kann dadurch vor vielen <strong>Sicherheit</strong>svorfällen<br />
schützen und gleichzeitig operationale Effizienz und Compliance verbessern.<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
QRadar’s Unique Advantages<br />
20<br />
§ Real-time correlation and anomaly detection based on broadest set of<br />
contextual data<br />
Ø Impact: More accurate threat detection, in real-time<br />
§ Integrated flow analytics with Layer 7 content (application) visibility<br />
Ø Impact: Superior situational awareness and threat identification<br />
§ Intelligent automation of data collection, asset discovery, asset profiling<br />
and more<br />
Ø Impact: Reduced manual effort, fast time to value, lower-cost operation<br />
§ Flexibility and ease of use enabling “mere mortals” to create and edit<br />
correlation rules, reports and dashboards<br />
Ø Impact: Maximum insight, business agility and lower cost of ownership<br />
§ Scalability for largest deployments, using an embedded database and<br />
unified data architecture<br />
Ø Impact: QRadar supports your business needs at any scale<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
Why <strong>IBM</strong> <strong>Security</strong>: Breadth, deep expertise, integration<br />
21<br />
Leadership<br />
§ Leader in “Magic Quadrant for <strong>Security</strong> Information and Event Management”, Gartner, May<br />
24, 2012; May 12, 2011; May 13, 2010; May 29, 2009.<br />
§ #1 rated by Gartner for Compliance use cases ("Critical Capabilities for <strong>Security</strong><br />
Information and Event Management Technology," Gartner, May 21, 2012)<br />
Integration<br />
§ Integrated with 400+ products and vendor platforms<br />
§ SIEM, log management, behavioral anomaly<br />
detection, and configuration monitoring combined<br />
in a single console<br />
Expertise<br />
§ Embedded 3rd party security feeds including<br />
<strong>IBM</strong> X-Force Threat <strong>Intelligence</strong><br />
§ Integration with <strong>IBM</strong> InfoSphere Guardium, <strong>IBM</strong><br />
<strong>Security</strong> Network Protection, <strong>IBM</strong> <strong>Security</strong> AppScan<br />
and <strong>IBM</strong> Identity & Access Manager for optimized security<br />
© 2013 <strong>IBM</strong> Corporation
<strong>IBM</strong> <strong>Security</strong> Systems<br />
ibm.com/security<br />
© Copyright <strong>IBM</strong> Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is<br />
provided AS IS without warranty of any kind, express or implied. <strong>IBM</strong> shall not be responsible for any damages arising out of the use of, or otherwise related to,<br />
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from <strong>IBM</strong> or its<br />
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of <strong>IBM</strong> software. References in these materials<br />
to <strong>IBM</strong> products, programs, or services do not imply that they will be available in all countries in which <strong>IBM</strong> operates. Product release dates and/or capabilities<br />
referenced in these materials may change at any time at <strong>IBM</strong>’s sole discretion based on market opportunities or other factors, and are not intended to be a<br />
commitment to future product or feature availability in any way. <strong>IBM</strong>, the <strong>IBM</strong> logo, and other <strong>IBM</strong> products and services are trademarks of the International<br />
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of<br />
others.<br />
Statement of Good <strong>Security</strong> Practices: <strong>IT</strong> system security involves protecting systems and information through prevention, detection and response to improper<br />
access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to<br />
or misuse of your systems, including to attack others. No <strong>IT</strong> system or product should be considered completely secure and no single product or security measure<br />
can be completely effective in preventing improper access. <strong>IBM</strong> systems and products are designed to be part of a comprehensive security approach, which will<br />
22 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. <strong>IBM</strong> DOES NOT © WARRANT 2013 <strong>IBM</strong> Corporation<br />
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.