Extend Your Market Reach with IBM Security QRadar for MSPs

© 2015 IBM Corporation

IBM Security

1 1 © 2015 IBM Corporation

IBM SECURITY QRADAR FOR SERVICE PROVIDERS Extending Market Reach Through Multi-Tenancy & SaaSVijay DheapGlobal Product Manager

QRadar


IBM Security

2 2

Agenda

Motivations

QRadar Multi-Tenancy

QRadar Master Console

Security Intelligence on Cloud

Partnering with IBM


MotivationsMaking Security Intelligence Accessible


IBM Security

4 4

It’s A Not So Friendly Cyber World…and Many are Ill-Equipped

Risks abound and cost continues to grow

Limitations in even grasping an organization’s security posture constraints the ability to adapt it…


IBM Security

5 5

Organizations of All Sizes Plan on Raising their Basic Security IQ

Growing Demand needs to be served by the the Best in Class solution – QRadar and Service Providers provide not just the reach but also the expertise to onboard and support these organizations on their security intelligence journey


IBM Security

6 6

Service Provider Requirements to Serve this Market Demand

Offer range of security intelligence capabilities from basic to advanced to meet diverse spectrum of client needs

• Log Management• SIEM• Risk and vulnerability management• Network, app, and service usage visibility

Adaptive deployment options depending on client size and scale

• Dedicated environments for large institutions• Shared infrastructure for small/mid-size

organizations

Deliver rapid time-to-value• Quick deployment• Built-in intelligence• Out-of-the-box integrations

Minimize operational infrastructure costs and improve staff productivity

• Multi-tenancy• Cloud delivery options• Centralized dashboard


IBM Security

7 7

Helping Service Providers Broaden Reach of Security Intelligence

Service Providers can extend Tier 1 security intelligence capabilities to small & mid-size organizations leveraging multi-tenancy

Customer A Customer B Customer C

Customer D

Master ConsoleService Providers can gain centralized visibility to multiple, diverse QRadar deployments – multi-tenant, or dedicated

Customer E

Service Providers can either deploy QRadar in the cloud or resell IBM Security Intelligence on Cloud Offering to minimize capital expenditures and offer an operating expense model for security intelligence for their customers

NewNewNewNew

NewNew


QRadar Multi-Tenancy


IBM Security

9 9

MULTI-TENANTenables secure, rapid and cost effective delivery of security intelligence services

Multi-Tenant QRadar for Managed Security Service Providers

Scalable appliance architecture

Shared modular infrastructure

New centralized views and incident management Mixed single- and multi-tenanted deployment options True horizontal, snap-on scalability capabilities Extensive APIs for enterprise integration System configuration template support Cloud ready with support for 400+ out-of-the-box devices

Significant new capabilities to help Service Providers bring security to customers

IBM Security QRadar is:

AUTOMATEDdrives simplicity and accelerates time-to-value for service providers

SCALABLEscales from smallest to largest customers with centralized management of single- and multi-tenanted systems

INTELLIGENT AUTOMATED INTEGRATED


IBM Security

10 10

Introducing the Domain Concept

Domains are building blocks for multi-tenant QRadarAllows for segregating overlapping IPsEnables categorizing sources of security data (ex. events, flows) into different setsFacilitates monitoring and analysis of one or more subsets to attain granular visibility

Domains can be defined at three levels:

Domain ADomain A Domain BDomain B

Collector-level

Collectors (events or flows) are used to distinguish among domains

Source-level

Domain ADomain A

Source 1Source 1

Source 2 Source 2

Domain BDomain B

Source 3Source 3

Properties-level

Log Source 4 Log Source 4

Domain ADomain A

Property iProperty i

Domain BDomain B

Property iiProperty ii

Property iiiProperty iii

Sources (log or flow) possibly aggregated by the same collector can be specified as belonging to different domains

Specific events within a log source can be associated to various domains

Increasing Priority


IBM Security

11 11

Automatic Detection & The Default Domain

When no dedicated event collectors are assigned, new log sources are automatically detected and assigned to the default domain allowing Service Provider admin or global admin to make the domain assignment (if desired)

Prevents data leakage and enforces data separation across domains

When dedicated event collectors are assigned to a unique domain, new log sources are automatically detected and assigned to that domain


Collector-level Source-level

Domain ADomain A

Source 1Source 1

Source 2 Source 2

Domain BDomain B

Source 3Source 3

Properties-level

Log Source 4 Log Source 4

Domain ADomain A

Property iProperty i

Domain BDomain B

Property iiProperty ii

Property iiiProperty iii


IBM Security

12 12

Domain Data Available in QRadar


IBM Security

13 13

Domain Support in Rules

Custom rules engine is now domain-aware, automatically isolating correlations from different domains

New domain test allows for cross domain correlations if desired or necessary


IBM Security

14 14

Domain Support in Offenses

Domain information carried all the way through offense


IBM Security

15 15

Domain Support Within Asset Model

Each asset is assigned to a domain Assets can have overlapping IP addresses


IBM Security

16 16

Domain Support for Security Profiles

Security Profile can be restricted to one or more domains

Security Profile will restrict access to flows, events, assets, and offenses based on domain


IBM Security

17 17

Controlled Access to Domains

New User Security Profiles can be instantiated to control access to domain data:Enables defining user access rights to one or more domainsAllows for delegation of responsibilities across domainsFacilitates defining domain specific visibility


Once domains are defined, the next step is to control user privileges to those domains

Process in the QRadar Admin Console:1.Define Security Profiles for the Domains2.Associate users from those domains to the appropriate security profiles


IBM Security

18 18

Vulnerability Management on a Domain Level

QRadar Vulnerability Manager allows asset profiles to be denoted with domain categorizations for exported scan results

Domain is defined per scanner for dynamic scanningDomain is a selectable criteria when filtering resultsCredentials controlled through the user’s security profile relating to the domain specifiedSaved searches for scan results will return assets that also match domain visibility of the user

Note a key value proposition of QRadar Vulnerability Manager is that scanners can be enabled on the deployed QRadar infrastructure without incurring additional infrastructure overhead.


IBM Security

19 19

Summarizing QRadar Multi-Tenancy Capabilities for Service Providers

Supports multiple customers within single QRadar instance

Guarantees separate correlation processing for each client’s security data

Restricts client visibility to only their security data – logs, flows, offenses etc.

Permits vulnerability scan data sharing across all clients associated within common domain

Facilitates simplified system administration of all client domains


QRadar Master Console


IBM Security

21 21

Master Console: A Single View Across Multiple QRadar Deployments

Centralized health view and system monitoring

Additional planned capabilities:• Centralized offense view and management• Content Management

o Log Source Managemento Ruleso Reportso Saved Searcheso Dashboards

• User Accounts• Federated Search• Seat Management

Network A Network B Network C Network D Network E

Multi-tenant QRadar deployment

IBM Security Intelligence on Cloud


IBM Security

22 22

Facilitating Access to Underlying QRadar Deployments

Pass-through APIs

Customer A

Customer B

Analyst

Service Provider analyst can employ Master Console Pass-through APIs to programmatically invoke QRadar APIs and build custom applications

Click-through Log-in

Customer A

Customer B

Service Provider analyst can log-in to specific QRadar deployment (managed from the Master Console) to get additional details needed for an investigative process


IBM Security

23 23

Deploying Master Console

Master Console software package included in QRadar ISO at no additional cost – updates provided via fix central

Installs on Service Provider’s own hardware, VM or cloud instance using 8500 activation key - recommended specifications equivalent to QRadar 3105 hardware appliance



© 2015 IBM Corporation2525

IBM Security Systems


Service Highlights

• Security Intelligence as a Service

• X-Force Exchange integration

• Physically segregated client data

• Real time & historical correlation of assets, events, and vulnerabilities

• Advanced threat detection

• Configurable SOC and management dashboards

• Supports integrations of 450+ security & IT solutions

• Seamless integration with IBM Global SOC for additional Security Services

Secure robust

channel

Secure robust

channel

Software Gateways

Professionally deployed and managed solution enabling organizations and Service Providers to focus on monitoring security intelligence

operations

Professionally deployed and managed solution enabling organizations and Service Providers to focus on monitoring security intelligence

operations

Security Intelligence


Partnering with IBM


IBM Security

27 27

Go-To-Market Options

Application Specific Licensing (ASL)Appliances or software (including virtual appliances)Support either perpetual license or monthly payments

• Zero upfront costs – pay only for EPS or Flows consumed by customers every month or quarterly

• Earn discounts – as business pipeline scales earn discounted pricing or specify commitments to get discounted price up front

Removes restriction on how EPS and Flows are allocated across two or more customersCurrent, standard processes remain in place to establish an ASL agreement

ResellAppliances, software (including virtual appliances), or SaaS (IBM Security Intelligence on Cloud)Collaborate with IBM to design and develop your marketing materialRealize built-in margin and complement with value added servicesCurrent, standard processes remain in place to establish a Reseller agreement


IBM Security

28 28

IBM Value Proposition for Service Providers

Best-in-Class Security Intelligence solution with flexibility to meet your needs• Full spectrum of Security Intelligence capabilities• On-premise or Cloud delivery• Dedicated environment or multi-tenant• Horizontally scalable

Choice of Go-to-Market options to suit various business models• Minimize up-front costs• Maximize margins• Maintain customer relationships

Rapid Time-to-Value• Simplified deployment options• Out-of-the-box security content and integrations

Platform for adding high-value services in cost-effective and streamlined fashion• Tailored security building blocks• Single Pane of Glass for security monitoring and management


IBM Security

29 29

Contact your Local IBM Representative

Middle East & Africa

Jean-Luc Labbe

[email protected]

North America

Chad Kinter

[email protected]

Europe

Serge Richard

[email protected]

Asia Pacific

John SK Chai

[email protected]

Worldwide Sales

Bill Wallace

[email protected]


IBM Security

30 30

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

Technology

Extend Your Market Reach with IBM Security QRadar for MSPs