IBM Qradar

© 2015 IBM Corporation

IBM Security

1 © 2015 IBM Corporation

IBM QRadar for Service Providers Extending Market Reach Through Multi-Tenancy & SaaS

May 2015

Vijay Dheap

Global Product ManagerQRadar


IBM Security

2

Agenda

Motivations

QRadar Multi-Tenancy

QRadar Master Console

Security Intelligence on Cloud

Partnering with IBM

* © 2014 IBM Corporation

MotivationsMaking Security Intelligence Accessible


IBM Security

4

It’s A Not So Friendly Cyber World…and Many are Ill-Equipped

Risks abound and cost continues to grow

Limitations in even grasping an organization’s security posture constraints the ability to adapt it…


IBM Security

5

Organizations of All Sizes Plan on Raising their Basic Security IQ

Growing Demand needs to be served by the Best in Class solution – QRadar and Service Providers provide not just the reach but also the expertise to onboard and support these organizations on their security intelligence journey


IBM Security

6

Service Providers Requirements to Serve this Market Demand

Offer a range of security intelligence capabilities from the basic to the advanced to meet the spectrum of security needs of customers

• Log Management• SIEM• Network, app, and service usage visibility• Vulnerability Management

Adaptive deployment of the technology depending on the size and scale of the customer

• Dedicated environments for large institutions• Shared infrastructure for small/mid-size

organizations Deliver Rapid Time to Value

• Quick Deployment• In-built Intelligence• Out-of-the-box integrations

Minimize operational costs in IT infrastructure maintenance and management

• Multi-tenancy• Cloud delivery options

Streamline security operations to improve productivity of skilled security analysts on staff

• Centralized dashboard


IBM Security

7

QRadar: Enabling Service Providers to Broaden the Reach of Security Intelligence

Service Providers can extend Tier 1 security intelligence capabilities to small & mid-size organizations leveraging multi-tenancy

Customer A Customer B Customer C

Customer D

Master ConsoleService Providers can gain centralized visibility to multiple, diverse QRadar deployments – multi-tenant, or dedicated

Customer E

Service Providers can either deploy QRadar in the cloud or resell IBM Security Intelligence on Cloud Offering to minimize capital expenditures and offer an operating expense model for security intelligence for their customers

NewNew

New


QRadar Multi-Tenancy


IBM Security

9

MULTI-TENANTenables secure, rapid and cost effective delivery of security intelligence services

Multi-Tenant QRadar for Managed Security Service Providers

Scalable appliance architecture

Shared modular infrastructure

New centralized views and incident management Mixed single and multi-tenanted deployment options True horizontal, snap-on scalability capabilities Extensive APIs for enterprise integration System configuration template support Cloud ready with support for 400+ out-of-the-box devices

Significant new capabilities to help Service Providers being security to customers

IBM Security QRadar is:

AUTOMATEDdrives simplicity and accelerates time-to-value for service providers

SCALABLEscales from smallest to largest customers with centralized management of single and multi-tenanted systems

INTELLIGENT AUTOMATED INTEGRATED


IBM Security

10

Introducing the Domain Concept

Domains are the building blocks for Multi-tenant QRadar Allows for segregating overlapping IPs Enables categorizing sources of security data (ex. events, flows) into different sets Facilitates monitoring and analysis of one or more subsets to attain granular visibility

Domains can be defined at three levels:

Domain A Domain B

Collector-level

Collectors (events or flows) are used to distinguish among domains

Source-level

Domain A

Source 1

Source 2

Domain B

Source 3

Properties-level

Log Source 4

Domain A

Property i

Domain B

Property ii

Property iii

Sources (log or flow) possibly aggregated by the same collector can be specified as belonging to different domains

Specific events within a log source can be associated to various domains

Increasing Priority


IBM Security

11

Automatic Detection & The Default Domain

In cases where there is no dedicated event collector to a domainlog sources that are automatically detected with no previous domain assignment are allocated to the default domain such that the the Service Provider admin or global admin can make the domain assignment (if any)

Prevents data leakage and enforces data separation across domains

Domain A Domain B

Collector-level Source-level

Domain A

Source 1

Source 2

Domain B

Source 3

Properties-level

Log Source 4

Domain A

Property i

Domain B

Property ii

Property iii

When a dedicated event collectors is assigned to a unique domain, new log sources that are automatically detected are automatically assigned to that domain


IBM Security

12

Domain Data Available in QRadar


IBM Security

13

Domain Support in Rules

Custom rules engine is now domain-aware, automatically isolating correlations from different domains.

New domain test allows for cross domain correlations is desired or necessary


IBM Security

14

Domain Aware Retention Policies

Define domain-based retention policies

Enabled address domain specific data retention policy definition


IBM Security

15

Security Profile Domain Support

Security Profile can be restricted to one or more domains

Security Profile will restrict access to flows, events, assets, and offenses based on domain


IBM Security

16

Offense Domain Support

Domain information carried all the way through offense


IBM Security

17

Asset Model Domain Support

Each asset is assigned to a domain Assets can have overlapping IP addresses


IBM Security

18

Controlled Access to Domains

New User Security Profiles can be instantiated to control access to domain data: Enables defining user access rights to one or more domains Allows for delegation of responsibilities across domains Facilitates defining domain specific visibility

Domain A Domain B

Domain A Security Profile

Domain B Security Profile

Once Domains are defined, the next step is to control user privileges to those domains

Process in the QRadar Admin Console:1. Define Security Profiles for the Domains2. Associate users from those domains to the appropriate security profiles


IBM Security

19

Vulnerability Management on a Domain-Level

QRadar Vulnerability Manager now allows scanners to be domain-aware enabling asset profiles to be denoted with domain categorization when scan results are exported.

Domain is defined per scanner for dynamic scanningDomain is a selectable criteria when filtering resultsCredentials controlled through the user’s security profile relating to the domain specifiedSaved searches for scan results will return assets that also match domain visibility of the user

Note a key value proposition of QRadar Vulnerability Manager is that scanners can be enabled on the deployed QRadar infrastructure without incurring additional infrastructure overhead.


IBM Security

20

Summarizing QRadar Multi-Tenancy Capabilities for Service Providers

Support multiple customers in a single QRadar deployment

Service Provider responsible for system administration of all customer domains

Each customer only has visibility to their security data – logs, flows, offenses etc.

Guarantees that customer’s security data is not correlated with security data from other customers

Service Provider responsible for running vulnerability scans but customers can gain visibility to scan reports associated with their domains


QRadar Master Console


IBM Security

22

Master Console: A Single View Across Multiple QRadar Deployments

Centralized health view and system monitoring

Additional Planned Capabilities:• Centralized offense view and management• Content Management

o Log Source Managemento Ruleso Reportso Saved Searcheso Dashboards

•User Accounts•Federated Search•Seat Management

Network A Network B Network C Network D Network E

Multi-tenant QRadar deployment

IBM Security Intelligence on Cloud


IBM Security

23

Facilitating Access to Underlying QRadar Deployments

Pass-through APIs

Master

Console A

PIs

QR

adar AP

IsQ

Radar A

PIs

Customer A

Customer B

Analyst

An Analyst can employ the Master Console Pass-through APIs to programmatically invoke the QRadar APIs of deployments to which she has access to. This can be used to build custom applications desired by the service provider

Click-through Log-in

Customer A

Customer B

An Analyst can log-in to a specific deployment of QRadar which they are to manage from the Master console to get additional details they may need as part of the investigative process


IBM Security

24

Deploying Master Console

Every customer who purchases QRadar is entitled to Master Console – no additional cost to the customer

Master Console is a software package included in the QRadar ISO – updates provided via fix central

The customer is responsible for installing this software on their own hardware, VM or cloud instance - the recommended specifications are equivalent to the QRadar 3105 hardware appliance specifications

Using the QRadar ISO the customer should install the Master Console using the 8500 activation key.




IBM Security

26

Extending QRadar Security Intelligence Platform to the Cloud

FLEXIBLE a full suite of upgradeable security analytics offerings and service levels to choose fromCOST EFFECTIVEacquire and deploy quickly with no CapEx to purchase

PEACE OF MINDtrusted IBM security service professionals available to provide guidance and meet your security requirements

Threat Indicators

Cloud-based offering of the #1 Security Intelligence solution Protects against threats and reduces compliance risk Leverages real-time threat intelligence from X-Force Collects data from both on-premise and cloud resources

Accelerate your ability to identify and stop cyber threats with

Extensive data sources

Security devicesServers and mainframesNetwork and virtual activityData activityApplication activityConfiguration informationVulnerabilities and threatsUsers and identities

© 2015 IBM Corporation27

IBM Security Systems


Service Highlights

• Security Intelligence as a Service• X-Force Exchange integration• Physically segregated client data• Real time & historical correlation of

assets, events, and vulnerabilities• Advanced threat detection• Configurable SOC and

management dashboards • Supports integrations of 450+

security & IT solutions• Seamless integration with

IBMGlobal SOC for additional Security Services

Secure robust

channelSoftware Gateways

Professionally deployed and managed solution enabling organizations to focus on monitoring

security intelligence operations

Security Intelligence


Partnering with IBM


IBM Security

29

Go-To-Market OptionsApplication Specific Licensing (ASL)Appliances or Software (including virtual appliances)Support either perpetual license or monthly payments

• Zero upfront costs – pay only for EPS or Flows consumed by customers every month or quarterly

• Earn discounts – as business pipeline scales earn discounted pricing or specify commitments to get discounted price up front

Removes restriction on how EPS and Flows are allocated across two or more customersCurrent, standard processes remain in place to establish an ASL agreement

Resell Appliances, Software (including virtual appliances), or

SaaS (IBM Security Intelligence on Cloud) Collaborate with IBM to design and develop your

marketing material Realize in-built margin and complement with value

added services Current, standard processes remain in place to

establish a Reseller agreement


IBM Security

30

IBM Value Proposition for Service Providers

Best in Class Security Intelligence Solution that is not only scalable but also flexible to meet the needs of a Service Provider• Dedicated Environment or Multi-Tenant• On Premise or Cloud Delivered• Horizontally Scalable• Full Spectrum of Security Intelligence capabilities

Rapid Time to Value Simplified Deployment options Out-of-the-box security content and integrations

Platform upon which high-value services can be offered cost-effectively & in a streamlined fashion Tailored security building blocks Single Pane of Glass for Security monitoring & management

Choice of Go-to-Market options to suit various business models• Minimize up-front costs• Maximize margins• Maintain customer relationships


IBM Security

31

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

Technology

IBM Qradar