Sie sind auf Seite 1von 13

IBM Security Systems

IBM QRadar SIEM and Palo Alto


Networks PA Series Firewall
Integration

Ellen Knickle
Product Manager, QRadar Integrations
March, 2014
1

2012 IBM Corporation

IBM Security Systems

IBM QRadar Security Intelligence Platform


Providing actionable intelligence

INTELLIGENT
Correlation, analysis and
massive data reduction

AUTOMATED
Driving simplicity and
accelerating time-to-value

IBM QRadar
Security Intelligence
Platform

INTEGRATED
Unified architecture
delivered in a single console

2014 IBM Corporation

IBM Security Systems

Security intelligence timeline and definition


What are the major risks
and vulnerabilities?

Vulnerability

Are we configured
to protect against
advanced threats?

Pre-Exploit

What security incidents


are happening right now?

Post-Exploit

Exploit

PREDICTION / PREVENTION PHASE

What was the impact


to the organization?

Remediation

REACTION / REMEDIATION PHASE

Gain visibility over the organizations


security posture and identity security gaps

Automatically detect threats with prioritized


workflow to quickly analyze impact

Detect deviations from the norm


that indicate early warnings of APTs

Gather full situational awareness


through advanced security analytics

Prioritize vulnerabilities to optimize


remediation processes and close critical
exposures before exploit

Perform forensic investigation reducing time


to find root-cause; use results to drive faster
remediation

Security Intelligence
The actionable information derived from the analysis
of security-relevant data available to an organization
3

2014 IBM Corporation

IBM Security Systems

QRadar SIEM: Command console for Security Intelligence


Provides full visibility and
actionable insight to protect
against advanced threats
Adds network flow capture and
analysis for deep application
insight
Employs sophisticated
correlation of events, flows,
assets, topologies,
vulnerabilities and external
data to identify & prioritize
threats

Contains workflow management to fully track threats


and ensure resolution
Uses scalable hardware, software and virtual
appliance architecture to support the largest
deployments
4

2014 IBM Corporation

IBM Security Systems

Embedded intelligence offers automated offense identification


Extensive Data Sources

Security devices

Servers and mainframes


Network and virtual activity

Suspected
Incidents

Automated
Offense
Identification

Prioritized Incidents

Massive data reduction


Data activity
Application activity

Automated data collection,


asset discovery and profiling
Automated, real-time,
and integrated analytics

Configuration information

Activity baselining
and anomaly detection

Vulnerabilities and threats

Out-of-the box rules


and templates

Users and identities

Embedded
Intelligence

Global threat intelligence

2014 IBM Corporation

IBM Security Systems

Benefits of Integration with Palo Altos PA Series Firewall


Helps reduce the risk and severity of security
breaches
Provides QRadar SIEM with a rich source of
contextual data
Sends threat events that have been
classified into critical, high, medium, low and
informational categories.
Correlate with other data sources as part of
our out-of-the box rules and reports

2012 IBM Corporation

IBM Security Systems

QRadar & Palo Alto Events coming in

2012 IBM Corporation

IBM Security Systems

QRadar & Palo Alto offenses created as a result of PA events

2012 IBM Corporation

IBM Security Systems

Offense detail

What was
the breach?
Was it
successful?

Who was
responsible?
How valuable
are the targets to
the business?

How many
targets
involved?

Are any of them


vulnerable?

Where is all
the evidence?

Where do I
find them?

2012 IBM Corporation

IBM Security Systems

Automatic Signature updates for the PA Firewall


IBM uses Palo Altos REST API to obtain the updated signatures
Our import mechanism looks at that the data to determine whether
there are new events the Firewall can generate
If there are new events, the events are added to our event database
called the QIDmap (pronounced quid map, stands for QRadar
ID map)
identifies the new events
categorizes the new events
makes the events visible in our Log Activity tab
enables these events to be searched, correlated, used in rules
and reports

The updates are made available to customers each week through


QRadars Weekly Auto Update process
10

2012 IBM Corporation

IBM Security Systems

QRadar and Palo Alto Flow data


QRadar can receive and display Palo Alto Layer 7 data
PA outputs the data in Netflow v9
Customer would simply need to create a Netflow Flow source in
Qradar (which listens on Port 2055
Configure their PA device to export the netflow records to Qradar

The flows appear in the QRadar Network Activity tab


These become a source for all of the flow based rules

11

2012 IBM Corporation

IBM Security Systems

Two examples QRadar and PA Firewall Use Cases


Prevent Loss of Personally Identifiable Information
A health care provider running QRadar receives an event from Palo
Alto that keylogger malware has been detected on the registration
desk laptop. QRadar generates a high magnitude offense causing
the security operations center to take immediate action.

DoS Attack prevented


A large financial services organization receives a SQL Injection
event on their on-line banking web server. QRadar generates a
high magnitude offense when the traffic on that server spikes
repeatedly over the course of 10 minutes.

12

2012 IBM Corporation

IBM Security Systems

Future enhancements to the PA Integration

1. Support for PANOS 6.0

2. Addition of Custom Properties, useful for searches, rules and


reports
a) Virus Name
b) Application
c) Policy
d) Filename
e) Duration (seconds)
f) URL
g) Traffic Classification
h) Traffic Type
i) Criticality Rating
3. Support for Palo Alto Wildfire
13

2012 IBM Corporation