What is Security Intelligence?

What is Security Intelligence?


What makes QRadar so special? This video has been updated with
Vulnerability Manager in Trusteer. So, any SIEM out there has a correlation
engine that takes input typically from logs, and with that correlation, produces what some
of them call incidents or they call them cases. We prefer to call those offenses. But what’s the problem with that technology? Well, the problem, there are several problems. Number one is that this thing
takes forever to deploy. People, you need to have people with Ph.D.s on
tools, and you need to have several of them, which these days is actually
something very expensive. Yet, in spite of all that investment
and time, you have another problem, which is that they produce lots of false
positives — gives you, you know, 200, 300 things that you should do, and you
cannot deal with 200 or 300 things. Especially if you, when you’re
dealing with those things, you find out that those things
are really normal stuff. And yet, in spite of all those false
positives, they miss a lot of important things. And we’ll see that that is mainly because
they lack context to make the determination on what is important and what is not important. Finally, these technologies are
not much help with APTs and fraud. QRadar does differently. For once, from the very beginning, QRadar
has been very good at incorporating into these correlation engine flows. You’ll see that flows provide
a great deal of context. What are flows? Well, flows are, first of all, the nomenclature, Cisco calls them endflows,
Juniper calls them endflows. Some other people call them SFlows. And today there’s a standard called IPFIX. But all these are layer,
so layer 4, layer 2 data. This is what tells you whether something
is going out your network and going to a particular country of interest or not. You’re not going to get that
out of the plain logs. This is a passive information
that routers and switches produce. Extremely helpful for doing investigation. We don’t stop there. We also have something that we call QFlow,
which is we take the first 64 bytes by default, 64 bytes of every incoming traffic, every
incoming packet, and we see its content. So, this is actually layer 7
analysis of what’s going there. So, we can tell, well, this is RC traffic. This is PDF going out. This is, you know, these are
that type of particular traffic. We don’t stop there. We also deal with a problem which is
a technology that we called VFlow. And this has to do with the fact that
when you use something like VMware and all that communication that typically
will go in through routers, all these layer 4 and layer 2 traffic, it’s going to go through
the hypervisor, so, it’s not going to be seen. Well, we actually have a hook into the
VMware APIs and we collect that data in spite of you doing virtualization. So, we take all that flow and we give that
additional context into everything we do. But there’s more we can do. We have an asset database that
is integral to everything we do. And with that asset database, let me show
you some of the things that we have in there. For once is that we have automatic
detection of devices and servers. And QRadar started from a networking
perspective from the very beginning, so for us it’s always been very easy to
detect, well, which is the ATP type of traffic. So, this might be the HTTP server. Well, here is some FTP, might be an FTP server. DNS, same thing. Mail, same thing. Now, this allows us to provide
a great deal of context. So, for example, if we see a
workstation sending a ton of e-mail and we know it’s not a mail server because
it doesn’t use a mail server protocol, we may think that that machine
is being used for spam, you know. This also simplified tremendously the
deployment because not only you have to sit down and put all the IP addresses of all
the devices, of the devices you know, many of them you don’t know, but actually
because we do that detection automatically, our database is always up to date. Whenever a new thing comes in, we see what it’s
doing, we identify and we presented it to you and say, whoa, we discovered
a new database being launched. Did you know about it? We also add into the asset
database user information. It is very lame to report on IP
addresses, but it’s more useful when we say this particular user was using
that IP address at the moment of the event. How do we know that? We monitor active directory and any other
Web log-in that the user may be doing, and then we attach that at that
particular time this was user behind there, we look at the DACP logs,
and that help us with that. We also take input from our
IPSs, and we take IPS data, in particular IPSs can now do IPFIX
directly and rich application information. We know, you know, when is the data going
to Facebook or any kind of social site. So, we say, well, this is Facebook
traffic and we see a user posting data and with this is the data the user posts. We can do all that. We also take from Guardium. We protect your databases
without collecting any logs. We take information from Guardium and what
is this blocking or what is it warning. So, this provide a tremendous
level of context on database data. We do a similar job with the mainframe in
which you don’t have to bring the SMF records into your SIEM and flood your SIEM with those where we can have this secure,
actually filter those. We actually have in the asset
database IP reputation now. So, we have our feeds from IP reputation,
we can detect things like, well, this IP address is a botnet
or this is a malware site. Well, that brings tremendous content, isn’t it, to whatever offense we are
reporting for that device. This is a user going through an anonymous proxy, kind of the [tort] network
and why is it doing that. We know about IPs that are scanning IPs,
searching for targets of opportunities. And we not only look at a particular IP address
but we also look at IP address by range. So, we look at dynamic ranges for IPs. We know about spam sites. And you know, far more data that is very
useful from the IP reputation standpoint. We take inputs from our identity management
component and our access management component. So, we can detect fail log-ins and
you know, from that device at the DMC. We take input from vulnerability scanners. So, it makes a lot of sense if we see
SQL injection type of traffic going to a particular IP address that we know
that is vulnerable to SQL injection, we’re going to make a big deal and give a
great deal of relevance to that offense. We don’t stop there. We added a component to QRadar
called Risk Manager. And what is it that is addressing? Well, when you ask questions of, am I
susceptible to SNMP attacks, for example? The answer, if you ask that to somebody,
the answer is going to be, well, I need to see the configuration of your SNMP. So, what Risk Manager is going to take this
configuration info from devices and components like firewalls, routers and others, and
it’s going to feed that into this model and it’s going to allow you
to do several things. For once you can do simulation and
see, well, what if we get this type of particular attack, how far will it propagate? It also is going to be bringing
into your SIEM topology information. In fact, people love that
because they can get detail, visual files of their current
state of their network. And because we have that asset database
that detects those things automatically, those charts are always up to date. But we can also do even more
things, like we can detect things like firewall configuration that are an error. We can detect ineffective
firewall rules, et cetera. So we can do that, all that by looking not
only on the logs, not only on the flows, but now the configuration of your devices,
and that give us a tremendous level of detail. Context, again. That eliminates the false positives. And all this is what allows us to do some very
smart filtering and be able to take billions, and we have customers with
billions of events every day. What do I do with those billions of events? Well, if I provide good enough context,
I can reduce that massive list of things into just a handful of offenses
that your people need to deal with. You need to reimage that box, you need to
change the setup of that particular IP address, you need to, you know, do specific things. And your people can deal with a handful of
events, that’s not with billions of events. That’s what QRadar has been
doing so well for so long. We don’t stop there. We recently added a Vulnerability
Manager and scanner into QRadar. You may say, well, if there are so many
good vulnerability scanners out there, in fact I cannot even fix all the things
that those vulnerability scanners produce, why do we want to bring another one? Well, let me show you why, and you’ll
understand why we came up with this component. For once we take any data that you may
have from any other scanner out there. There are many good ones. But they are not, you’ll see that they
are not attached to an asset database. We also take more, even more vulnerabilities. You say, well, you cannot deal with all
those, well, here there are even more. So, we can take vulnerabilities from Guardium. Guardium is actually very good at
looking at a database configuration and detect vulnerabilities that any
other scanner will definitely miss. We take input from AppScan, which is
going to do a far better detail analysis on the vulnerabilities of your Web application. We now take data from Trusteer which
is so good of protecting your endpoint. And what we do is that we have a very
good integration with SiteProtector now, which is the console for our IPSs, and we can do
a good analysis that will tell your IPSs, say, well, I know I found a SQL injection
vulnerability, I know IPS for the way that you are located, you can actually, if you turn that protection
on, I will be immune to that. So, please help me with that. Those type of things. And what we’re going to be
producing is think of it as your vulnerabilities displayed in this way. You’re going to get a large group of those
vulnerabilities that are what we call inactive. Let’s say you have an SNMP
vulnerability because of the way that you have configured your
system, you are vulnerable to that. But we see that that device
is actually inactive. You don’t have it. It’s NPO. We don’t see any flows that indicate
that there is such traffic being used. So, you should fix those. And for compliance reasons you
definitely need to fix them. But for now, relax, all the bigger
things for you to worry about than that. And that takes a great deal of load out
of your compliant efforts if you know that those things are not active. We also are very good at detecting what has
been patched both from the scanner perspective and from things like BigFix, our endpoint
protection that can tell us what are the things that are actually patched and say, well, those
things are patched, don’t even worry about it. Those are things of the past, because with any
configuration that we have with SiteProtector, we can say, well, these things are
actually being logged by your IPSs, in some cases by a firewall, and
therefore don’t worry about those. And we’re going to leave you with a smaller
set of things that are really at risk because the feed we have from X-Force
and CVEs and other sources, you know, we know that in your particular system, these
things are ready for a hacker to exploit. And you should worry about that. And we also will show you another bucket of the
things, and hopefully this is a small bucket. Our network anomaly detection has detected
that, for example, yes, you had SQL injection and there’s evidence of SQL
injection traffic in there, so your machine has actually been compromised. So, that and a few other things that we also
actually do is probably worth mentioning that when we find our asset database, you
know, that is so good…we spoke before about the asset database, and
actually I should have highlighted that this provides a great
deal of context, again. And when the asset database
detects that there is a new device, you can have a rule that say, well, scan it. You see, the problem with the scanning is
that you do scanning once a month typically. You know, some companies don’t
even do it that frequently. Why? Well, because this stuff is massive. It takes so much time and
so much network traffic that you don’t do these ad
hoc; you plan for these things. But what happens if you have a new
device, well, and it’s vulnerable? If I don’t, I will have to wait for the
next round of scanning in order to detect that the device is actually vulnerable. Not with QVM. QVM can actually, as soon as the device comes
in, can scan only that particular device without generating any more trouble. Let’s say that you get new
vulnerabilities, a new Java vulnerability, which is a weekly event almost these days. Well, I’m going to scan the
devices that have that component and see which the asset will even tell
you which of the device are vulnerable to that particular new vulnerability. And because we have topology information that we
get from Risk Manager, it’s actually very useful to see, well, this vulnerability,
how close is from my DMC, how close is from this sensitive database. We also, whenever we see a suspicious
device, and we do that very well at QRadar, we can actually say, well, what is that
device now sending that type of traffic. I’m going to scan it. You can actually also with QVM
scan your DMC from the outside. That gives you a different perspective
than when you do it from the inside. You can do things like, well, I’m
going to scan just my Web servers, because the asset database knows who you
are, you can actually selectively scan those. You can actually have reference sets
and do, you know, particular scannings of particular reference set of, you
know, sensitive or risky devices. You don’t have to wait and do all
this shotgun approach that you do with traditional vulnerability scanners. I also failed to mention that QRadar is
very good at doing baseline analysis. And we have two sliding windows, one of
24 hours and another one of seven days, that we use to detect what is
normal and what is not normal. So, when we see workstation doing or endpoints
or servers doing things that they didn’t use, that in itself gives us some relevance
that we can use to correlate with the rest of the things and detect things are not good. So, in short, we have seen that QRadar is
actually very good at producing and dealing with hot data, real time or near
real time, every minute, you know, we can detect the things that actually happen. We tag the information very
nicely with geo location, with user information, protocol use, et cetera. So we enrich the data. Our data is actually very
structured data by nature. We are very good at detecting, you
know, behavioral type of issues. Again, we do a master more with the flows. And now data is typically
on the order of terabytes. But remember the point that I mentioned
about not too much help with fraud and APTs. Well, for example, let’s say the classical case
of the DNS forensic, I want to see as an example which of my users are going to bot sites
because those are the few ones that generate so much trouble, so I want to
understand what they’re doing. In fact, I encourage you to do a Google
search on YouTube DNS forensic and QRadar and you’ll find a demonstration
of that technology in action. So, I want to see what those users are. Well, you need, you cannot do
that online because, first of all, the DNS doesn’t give you much data, it just gives you the IP address
of the URL you are trying to go. But the registrar information on that is huge. How can I take advantage of that? QRadar now has an extension with BigInsights,
which is IBM’s Hadoop implementation. And now we can take unstructured data. Like what? Well, for example, mail. We can analyze mail for years. Social data, who is actually sending
what type of information with what. DNS registrar, as I mentioned before, tons of
information about this, what was the registry, the site was registered last
week, mmm, that’s very suspicious because that’s malware people do, you know. Who’s the registrar? Is this GoDaddy? Is this VeriSign? It is China Post? You know, I mean, all the things
actually very, very, very important. I can actually add information
from malware sites. So, I can bring all that
unstructured data into it. But I can also feed definitely structured data. And the data QRadar produces is
obviously a prime candidate for that, that structured and rich data into my analysis. And I can do searches offline, of course. At the end of the day, every day
over long period of time I want to see what are these people doing
for, you know, last two years. And there’s a technology called Big…within
BigInsights, it’s BigSheets that allows me to actually perform those analysis. And this is data that is in the
order of petabytes, this is massive. So, again, I feed all that structured data,
and then in fact, we use the JSON format to do that into the BigInsight component. And after all that analysis, that can be
actually improved by the usage of tools like i2. Well, let me just pause for a second
and talk about what i2 can do. i2 can easily show you graphically
things like who is connected to who, is what is called association analysis. It’s actually very nice in
case of fraud analysis. It can show you incidence timelines, so temporal
analysis, what happened first and how these, for example, how this malware started
here and then propagated there. You can see the sequence of the actions. And actually it can show you incidents on a
map, so, you can see, make geo sense out of it. But the important thing is that, you know, you
visualize all that and then all those findings that you get from this analysis can be made
out of reference sets that are fed back into QRadar and you can do new rules. Like, for example, increase the
relevance of any action done by any one of these risk users that go to those bot sites. This is a short overview of what is
it that we understand when we talk about security intelligence and what are
the things that we keep on doing and adding into QRadar to make it the center of it.