IBM QRadar UBA

5,926 views 24 slides May 05, 2017
Slide 1
Slide 1 of 24
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24

About This Presentation

5/5/17 Webinar Deck

Size: 5.09 MB
Language: en
Added: May 05, 2017
Slides: 24 pages

Slide Content

IBM QRadar User Behavior Analytics Detecting Insider Threat and Risks May 2017

Agenda Problem Context Typical Challenges IBM UBA capabilities with machine learning analytics IBM’s integrated approach to insider threat protection Case Study Next Steps Johnny Shin Executive Consultant - Identity and Access Management Architecture & Program Delivery [email protected] Jas Johal Sr. Offering Manager – IAM Services IBM Security [email protected] Milan Patel Program Director Security Offerings Management IBM Security [email protected]

Increasing attacks, shortage of skills and growing insider threats continue to dominate Growing Insider Risk Too Many Tools Increasing Attack Activity Too Few People anticipated shortfall by 2020 45 vendors annual increase for InfoSec analysts 1M 100 more security incidents from 2014-2015 64 % ’s of incidents and events daily 37 % insider data breaches 43 % perpetrators take data and go work for competitors 65 % 85 security tools from

SECURITY TRANSFORMATION SERVICES Management consulting | Systems integration | Managed security QRadar Vulnerability / Risk Manager Resilient Incident Response X-Force Exchange QRadar Incident Forensics BigFix Network Protection XGS QRadar SIEM I2 Enterprise Insight Analysis App Exchange SECURITY OPERATIONS AND RESPONSE MaaS360 INFORMATION RISK AND PROTECTION Trusteer Mobile Trusteer Rapport AppScan Guardium Cloud Security Privileged Identity Manager Identity Governance and Access Cloud Identity Service Key Manager zSecure Trusteer Pinpoint QRadar User Behavior Analytics Our integrated view provides visibility so you can stop insider threats

Example - Extending UBA with flow data Detect flow based anomalies Accessing non-business resources Accessing unauthorized resources Potential spam/phishing attempts Detecting malware infection Accessing sensitive personal information Out of policy web usage Detect DNS anomalies DGA Fastflux Tunneling and exfiltration End-point infection analytics

Example - Extending QVM/QRM with UBA data Prioritize Vulnerabilities based on user risk Scanning Assets of users above risk thresholds Degrees of separation to critical assets or information for risk management Add, modify rules on IPS side to block at user level if user is phished Augment asset r isk based on user risk Monitor possible a ttack vectors for Risky users

Comprehensive data set and open analytics sense malicious users Insider Risk Score SENSE ANALYTICS TM BEHAVIORAL Pattern identification User and entity profiling Statistical analysis Anomaly detection CONTEXTUAL Business context Entity and user context External threat correlation TIME-BASED Historical analytics Real-time analytics Threat hunting Threshold rules Users Cloud Applications Applications Data Servers DLP Endpoints Network Threat Intelligence 3 rd Party SIEM feeds Other analytics

Comprehensive data set and open analytics sense malicious users

IBM QRadar UBA 2.0 Machine Learning algorithms Flow based use cases that leverage QNI

IBM INTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Detecting anomalous deviations Monitor users on deviation from normal behavior: 14 different event categories of QRadar temporal analysis time series analysis P redict range in which the users’ activities should fall Example anomalous activities detected by these algorithms are: Abnormal change in user activity (over time) Abnormal change in user’s authentication or access activity Deviation from normal risk posture of the user

IBM INTERNAL & BUSINESS PARTNER USE ONLY IBM QRadar UBA: Machine Learning algorithms “Deviations from normal behavior”

SOC analysts gain speed from user behavior analytics …in the hunt to reduce risks and eliminate threats 23_85 Easily find malicious behavior Easily acquire, deploy and use Improve analyst efficiency Detect threats across users and assets leveraging advanced analytics with behavioral patterns Tap into broad set of internal data sources and threat intelligence Visibility into the risk posture within hours not days Download app and install quickly Identify risky users, behavior and offences in minutes not hours Reduce overhead on skills and time

To get most of your UBA - 3 steps to stop harmful insider actions STEP 2: Detect insider threats : Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure : Secure your sensitive data and govern your user identities

Address security gaps insiders exploit with an integrated approach Who has access to sensitive data? Who should have access? Can you control privileged user access to sensitive data ? How are your users accessing the data? What data is sensitive ? Where is sensitive data stored? Is the right sensitive data being exposed? What risk is associated with sensitive data? What are end users and administrators doing with data? What do normal transaction patterns look like between the user and your sensitive data? How much can you trust each individual user? When should a deviation from “normal” be cause for further investigation?

User Behavior Analytics SIEM Access management Identity management & governance Privileged users management Data protection Risk detection & threat analytics Data activity monitoring Safeguard against harmful insider actions with trusted security expertise, actionable intelligence and powerful technology Security Services Identify gaps, improve compliance and prioritize security actions Integrate your capabilities Security expertise to drive insights

3 steps to stop harmful insider actions STEP 2: Detect insider threats . Anticipate the risk of malicious actions before they occur and respond when breached STEP 1: Reduce your exposure . Secure your sensitive data and govern your user identities STEP 3: Get started today. Apply a systematic approach and methodology to your 5-10 most important crown jewel data.

Getting started: An integrated approach that provides clear, actionable intelligence Prioritize compliance and security actions with risk-based insights from end-to-end mapping of your critical information’s access pathways   Analyze user behaviors to detect suspicious activities for further investigation Insider threat protection services from IBM Trusted IBM security specialists can offer the business, data and IAM security experience to help you evaluate intelligence, draw more meaningful conclusions and prepare for next steps.

IBM puts our insider threat solution into practice with a consistent and repeatable four step operational model with emphasis on high risk assets 1 2 3 4 Define Discover Investigate Remediate Define Use Case Identify critical data ( crown jewels ) Identify privileged users Matching user list Corporate Data Trigger Machine/ statistical analysis Resource usage analysis Policy violation analysis Top down comparative analysis Bottom up comparative analysis Anomaly Activity Trigger Potential Threat APP/SYSTEM TRANSACITON LOG APP/SYSTEM CHANGE LOG APP/SYSTEM ACCESS LOG APP/SYSTEM PROCESS EXCEPTION LOG Applications Enterprise Systems HTTP SITE ACCESS/ DOWNLOAD LOG EMAIL HISTORY/ ATTACHMENTS LOG PC LAPTOP USB/ EXT. HARD DR./CD COPY LOG LYNC CHAT/ DOWNLOAD LOG REMOTE ACCESS LOG PRINTER/FAX LOG PHYSICAL ACCESS LOG EXT. STORAGE ACCESS LOG EXT. EMAIL ACCESS LOG SHARE DRIVE/ POINT ACCESS HISTORY PC/ LAPTOP LOSS/ STOLEN REPORT PC/ LAPTOP CRASH/ REPARE LOG Decision Committee Application Owner/Controller User’s Manager Escalation Corporate/ Legal Action Close Loop/ Remediation PICTURE PC/ LAPTOP SCREEN (CCTV) Insider threat protection services from IBM

We implemented this solution for one of our global pharma clients to help address concerns about the impact of major re-org on employee morale Project Overview: Identified 7 areas of Information Classification in scope for the project Finance Management, Financial Transactions, Procurement-Sourcing, HR, Tax, Planning, and Risk Management Out of the 7 areas of Information Classification, identified 11 Confidential “Red” information for use cases True Cost Data, Process Order, Serialization, Employee SPI, Investigation and Disciplinary, Purchasing and Contractual, Vendor SPI, Customer SPI, Undisclosed Financial Data, Project System Mapped ~ 20% of “Red” data to specific SAP tables, transactions, and roles which expose the information Collected 7 months of SAP transaction logs to analyze user activities across the sensitive transactions identified Identified anomaly activities for further investigation

During the project, we analyzed sensitive transactions used for the first time on the month leaving the company Data Summary: 7 months of SAP transaction logs obtained Termination report obtained 1,984 users Over 1M lines of transaction log entries captured Of 1M entries, 56k sensitive transactions used Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: 1 st Analysis Finding: 8 users used 10 sensitive transactions for the first time in December 2014 before leaving company 1 st Analysis Findings

Our team also detected sudden and significant increases of users using sensitive transaction on the month leaving the company… risky insiders! Data Summary: 7 months of SAP transaction logs obtained Termination report obtained 1,984 users Over 1M lines of transaction log entries captured Of 1M entries, 56k sensitive transactions used Of 56k transactions, 885 sensitive transactions were used by users on the terminated report Outcome: 2 nd Analysis Finding: 7 users show sudden increase in sensitive transaction usage right before the termination 2 nd Analysis Findings

Our experts help deliver Leading security innovation by IBM Research, with over 3,000 security and risk patents Strategic Advising Product Agnostic Recommendations Cognitive-driven Solutions Derive insights from Watson Analytics Award winning IBM Security Systems can provide a full range of integrated security services and products Worldwide Presence Threat visibility from 10 Security Operations Centers monitoring 13-plus billon events per day from 20,000-plus devices Worldwide Subject Matter Expertise over 3,700 security consultants and 3,300 service delivery experts IAM Expertise

Take action now Jas Johal Sr. Offering Manager – IAM Services [email protected] Johnny Shin Sr. Executive Consultant- IAM [email protected] Milan Patel Program Director Security Offerings Management [email protected]
Tags
ibm security ibm security webinars ibm uba qradar
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 5,926
  • Slides 24
  • Favorites 3
  • Age 3133 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views
View More in This Category