total integrated security solution - accueil - eb-qual sa · pdf file ·...
TRANSCRIPT
|
Total Integrated Security Solution Fabien Broillet – Technical Director [email protected]
IT Security Intelligence with QRadar
[email protected] www.eb-qual.ch
What is Security Intelligence?
3
Security Intelligence provides actionable and comprehensive insight for
managing risks and threats from protection and detection through remediation
[email protected] www.eb-qual.ch
QRadar Vulnerability Manager
Strengthened by integrated vulnerability insights
19
[email protected] www.eb-qual.ch
QRadar Customer Concrete Case …
Web servers only as targeted IP’s !
26
[email protected] www.eb-qual.ch
QRadar Customer Concrete Case …
Let’s have a look on a specific targeted Web server …
27
[email protected] www.eb-qual.ch
Remote Web Scanner Detected When an event matches any of these CategoryDefinition:
Recon Events
Suspicious Events
With the same source IP more than 5 times, across more than 59 dest. IP within 10 minutes
When the context is:
Remote to Local
Remote to Remote
When a flow or an event matches any of the following PortDefinition:
Web Ports
Reports a remote host attempting reconnaissance or suspicious connections on common local
web server ports to more than 60 hosts in 10 minutes.
QRadar Customer Concrete Case …
31
[email protected] www.eb-qual.ch
Exploit/Malware Event Across Multiple Destinations NOT when an event matches any of the following Exploit:
Destination Vulnerable to Detected Exploit on a Different Port
When an event matches any of these CategoryDefinition:
Exploits Backdoors
Trojans
With the same source IP more than 5 times, across more than 5 destination IP within 5 minutes
Reports a source IP address generating multiple (at least 5) exploits or malicious software
(malware) events in the last 5 minutes. These events are not targeting hosts that are
vulnerable and may indicate false positives generating from a device.
QRadar Customer Concrete Case …
33
[email protected] www.eb-qual.ch
Exploit Attempt Proceeded by Recon When all of these ReconDetected:
All Recon Rules
When all of these CategoryDefinition
Exploits Backdoors
Trojans
From the same source IP to the same destination port, over 1 hours
Reports reconnaissance followed by an exploit from the same source IP address to the same
destination port within 1 hour.
QRadar Customer Concrete Case …
34
[email protected] www.eb-qual.ch
Main Challenge completed !
35
Many heterogeneous & unstructured data …
[email protected] www.eb-qual.ch
Main Challenge completed !
36
Keeping ressources & effort on key elements
[email protected] www.eb-qual.ch
In Conclusion
QRadar leverages our logs to detect major incidents, but…
QRadar leverages open services to be even more accurate What to do if we have no idea about Services present in an Offense raised by the system ?
Consider collecting network flows through QFlow collector !
QRadar leverages present vulnerabilities to be even more accurate What to do if we have no idea about the vulnerabilities present in an Offense raised by the
system ?
Consider collecting vulnerabilities posture through QRadar Vulnerability Manager
QRadar leverages Geo location & IP reputation to be more useful Consider having powerful services like IBM Security Intelligence Feeds
37
[email protected] www.eb-qual.ch
Fabien Broillet
Technical Director
eb-Qual AG
Oberfeldstrasse 20
8302 Kloten
THANK YOU
Tel. 043 211 47 20
Fax 043 211 47 29