Sie sind auf Seite 1von 13

IBM Security Systems

IBM QRadar SIEM and Palo Alto

Networks PA Series Firewall

Ellen Knickle
Product Manager, QRadar Integrations
March, 2014

2012 IBM Corporation

IBM Security Systems

IBM QRadar Security Intelligence Platform

Providing actionable intelligence

Correlation, analysis and
massive data reduction

Driving simplicity and
accelerating time-to-value

IBM QRadar
Security Intelligence

Unified architecture
delivered in a single console

2014 IBM Corporation

IBM Security Systems

Security intelligence timeline and definition

What are the major risks
and vulnerabilities?


Are we configured
to protect against
advanced threats?


What security incidents

are happening right now?




What was the impact

to the organization?



Gain visibility over the organizations

security posture and identity security gaps

Automatically detect threats with prioritized

workflow to quickly analyze impact

Detect deviations from the norm

that indicate early warnings of APTs

Gather full situational awareness

through advanced security analytics

Prioritize vulnerabilities to optimize

remediation processes and close critical
exposures before exploit

Perform forensic investigation reducing time

to find root-cause; use results to drive faster

Security Intelligence
The actionable information derived from the analysis
of security-relevant data available to an organization

2014 IBM Corporation

IBM Security Systems

QRadar SIEM: Command console for Security Intelligence

Provides full visibility and
actionable insight to protect
against advanced threats
Adds network flow capture and
analysis for deep application
Employs sophisticated
correlation of events, flows,
assets, topologies,
vulnerabilities and external
data to identify & prioritize

Contains workflow management to fully track threats

and ensure resolution
Uses scalable hardware, software and virtual
appliance architecture to support the largest

2014 IBM Corporation

IBM Security Systems

Embedded intelligence offers automated offense identification

Extensive Data Sources

Security devices

Servers and mainframes

Network and virtual activity



Prioritized Incidents

Massive data reduction

Data activity
Application activity

Automated data collection,

asset discovery and profiling
Automated, real-time,
and integrated analytics

Configuration information

Activity baselining
and anomaly detection

Vulnerabilities and threats

Out-of-the box rules

and templates

Users and identities


Global threat intelligence

2014 IBM Corporation

IBM Security Systems

Benefits of Integration with Palo Altos PA Series Firewall

Helps reduce the risk and severity of security
Provides QRadar SIEM with a rich source of
contextual data
Sends threat events that have been
classified into critical, high, medium, low and
informational categories.
Correlate with other data sources as part of
our out-of-the box rules and reports

2012 IBM Corporation

IBM Security Systems

QRadar & Palo Alto Events coming in

2012 IBM Corporation

IBM Security Systems

QRadar & Palo Alto offenses created as a result of PA events

2012 IBM Corporation

IBM Security Systems

Offense detail

What was
the breach?
Was it

Who was
How valuable
are the targets to
the business?

How many

Are any of them


Where is all
the evidence?

Where do I
find them?

2012 IBM Corporation

IBM Security Systems

Automatic Signature updates for the PA Firewall

IBM uses Palo Altos REST API to obtain the updated signatures
Our import mechanism looks at that the data to determine whether
there are new events the Firewall can generate
If there are new events, the events are added to our event database
called the QIDmap (pronounced quid map, stands for QRadar
ID map)
identifies the new events
categorizes the new events
makes the events visible in our Log Activity tab
enables these events to be searched, correlated, used in rules
and reports

The updates are made available to customers each week through

QRadars Weekly Auto Update process

2012 IBM Corporation

IBM Security Systems

QRadar and Palo Alto Flow data

QRadar can receive and display Palo Alto Layer 7 data
PA outputs the data in Netflow v9
Customer would simply need to create a Netflow Flow source in
Qradar (which listens on Port 2055
Configure their PA device to export the netflow records to Qradar

The flows appear in the QRadar Network Activity tab

These become a source for all of the flow based rules


2012 IBM Corporation

IBM Security Systems

Two examples QRadar and PA Firewall Use Cases

Prevent Loss of Personally Identifiable Information
A health care provider running QRadar receives an event from Palo
Alto that keylogger malware has been detected on the registration
desk laptop. QRadar generates a high magnitude offense causing
the security operations center to take immediate action.

DoS Attack prevented

A large financial services organization receives a SQL Injection
event on their on-line banking web server. QRadar generates a
high magnitude offense when the traffic on that server spikes
repeatedly over the course of 10 minutes.


2012 IBM Corporation

IBM Security Systems

Future enhancements to the PA Integration

1. Support for PANOS 6.0

2. Addition of Custom Properties, useful for searches, rules and

a) Virus Name
b) Application
c) Policy
d) Filename
e) Duration (seconds)
f) URL
g) Traffic Classification
h) Traffic Type
i) Criticality Rating
3. Support for Palo Alto Wildfire

2012 IBM Corporation