IT security teams have a tough job. While organizations depend upon Internet access to conduct business, security teams are responsible for safeguarding these communications and transactions from those who wish to profit by stealing intellectual property, customer private data or even just encrypting your data and demanding a ransom for its safe recovery. There are a number of tools available to monitor log events, network flows, and packet captures, but most of these are performing after-the-fact analysis. That can make it easy for the bad guys to hide out on your network. IBM QRadar Network Insights (QNI) uses innovative network threat analytics to identify malicious content – including those hidden in data transmissions, SSL certificate violations, protocol obfuscation, file tags, and suspicious network flows – and then pieces together those indicators of attack to provide security teams with real-time alerts. These alerts help organizations detect attacks that are in progress, as well as determine what damage may have already been inflicted. View this on-demand webinar to learn how QRadar Network Insights can: Remove network blind spots and reduce complexities in log data to reveal previously hidden threats and malicious behaviors; Record application activities, capture file metadata and artifacts, and identify assets, applications and users participating in network communications; Reduce the impact of threats associated with malware, phishing emails, data exfiltration, and the lateral network movements of advanced attacks.

1. Nowhere to Hide:
Expose Threats in Real-time with
IBM QRadar Network Insights
November 16, 2016
Jay Bretzmann, QRadar Portfolio Marketing
Tom Obremski, QRadar Offering Management
Peter Szczepankiewicz, QRadar Offering Management

2. 2
Today’s speakers
Jay Bretzmann
QRadar Portfolio Marketing
Tom Obremski
QRadar Offering Management
Peter Szczepankiewicz
QRadar Offering Management

3. 3
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers

4. 4
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers

5. 5
IBM QRadar Security Intelligence Platform
Malware and APT Insider threat
Risk and
Vulnerabilities
Incident
Response
Compliance
Reporting
Securing Cloud

6. 6
QRadar Sense Analytics™
Quickly and easily
detects Insider
Threats, Malicious
Behaviors, Malware,
and Risks
Sense Analytics helps:
 Quickly identify Insider threats, malware, APT and other
abnormal behavior
 Simplify and reduce incident analysis effort through
automatic identification and relating of abnormal activities
 Uncover risks though automatic discovery and behavioral
profiling of devices, users, assets and applications
 Enable rapid time to value with automated security data
discovery and classification, and integrated network and end
point scanning
 Stay ahead of attacks with automatic updates of threats,
vulnerabilities and new security use cases on the IBM App
Exchange

7. 7
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers

8. 8 IBM Security
Today’s Challenges: Why are they so hard to solve?
Advanced Threats: greater
sophistication & improved stealth
Real-time threat detection lacks
the necessary security context
Real time visibility of network
context and numbers of false
positive alerts
• Threats hide in normal application
traffic, DNS, web, email, file transfers
• Malicious actors are stealthy, making
lateral movements and exfiltrate data
• Current logs & flows don’t provide
consistent visibility across the
threat lifecycle
• PCAP data is expensive primarily
used for post incident forensics
analysis
• Over-sensitive tools creating too
many false positives
• Lack of infrastructure and
communication context to improve
threat detection accuracy
Advanced threats | Phishing e-mails | Malware | Data exfiltration | Compliance gaps | DNS abuse

9. 9
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers

10. 10 IBM Security
Today’s Exciting News!
Announcing NEW IBM QRadar Network Insights (QNI)
• Innovative network analytics solution that will
quickly and easily detect insider threats, data
exfiltration and malware activity
• Logs and network flow data not providing
enough visibility
• Records application activities, captures artifacts,
and identifies assets, applications and users
participating in network communications
• Configurable analysis from network traffic for
real time threat detection and long-term
retrospective analysis
• New Appliance with out-of-the-box content on
the App Exchange for fast time to value and best
practices

11. 11 IBM Security
IBM QRadar Network Insights – Leaves nowhere to hide
Innovative network threat
analytics
Improved threat detection Long-term retrospective
analysis
• Essential threat indicators
gathered from network traffic
in real-time
• Threats are hunted and traced
with full visibility of network
traffic
• Threats are qualified by
correlating network insights with
logs from security devices
• Discovered devices, users,
application cataloged for
improved context
• Activities relating to applications,
assets, artifacts and users can be
collected selectively
• Hidden risks and threats revealed
through historical analysis
employing latest intelligence

12. 12 IBM Security
Providing complete coverage and threat detection
Network Tap
QRadar
QRadar
Network
Insights
QRadar Incident
Forensics
QRadar
Network
Packet
Capture
Incident Detection
& Qualification
Root Cause
Analysis
QRadar
Processors
Endpoint Network Cloud
IBM AND BP INTERNAL USE ONLY

13. 13 IBM Security
QRadar QNI – Completing the picture
• What is out there ?
• Who is talking to whom ?
• What files and data are being
exchanged ?
• Do they look malicious ?
• Do they contain any important or
sensitive data ?
• Is this malicious application use ?
• Is this new threat on my network ?
• If so, it where is it and what did it
do ?
Filling in the important gaps
BASIC
ENRICHED
ADVANCED

14. 14 IBM Security
Covering the threat lifecycle: Phishing
Phishing works
“95 percent of all attacks on enterprise networks
are the result of successful spear phishing.”
- SANS Institute
Detect phishing e-mails before
users have a chance to open them
Detect and extract suspicious e-mail subject
lines, content and attachments helping QRadar
detect attacks before users access their inbox.
Someone fell for it… again
Quickly determine who was phished, how they
responded, and who is compromised.
Email
field
analysis
Invalid
certificate
detection
E-mail
subject lines
Anomalous
DNS
lookups
Hunting
for others
who received
the e-mail
Embedded
scripts in
attachments
BASIC
ENRICHED
ADVANCED

15. 15 IBM Security
Finds Insider Threats
Exposure to Insider Risk
“55% of all attacks were carried out by
malicious insiders or inadvertent inside actors.”
- IBM 2015 Cyber Security Intelligence Index
“Insider risk can be more than a threat to IT
systems or data loss – it can result in physical
harm or sabotage.”
- Carnegie Mellon SEI
Enhances QRadar/UBA for unique
insider threat detection
Identify unapproved web browsing or searches,
Recognize access of risky or suspicious
domains, trace activities following anomalous
behaviors, resolve aliases and privileged
identities triggered by suspicious content,
seamlessly feeding QRadar UBA
Internet
bound
data
Anomalous
DNS
queries
Interaction
with
malicious
sources
E-mail
subject
lines
Abormal
crown jewel
comms amd
transfer
PI data
detection
Who is
talking to
whom
Web Site
content
Email
content
BASIC
ENRICHED
ADVANCED

16. 16 IBM Security
Key use example: All customers care about data exfiltration
Secrets being exposed
“50% of organizations believe they have
regular confidential data leakage”
- Enterprise Management Associates
My proprietary data was
posted where?!?
Uncover sensitive data leaving the
network via e-mail, chat messages, files or
social media in real time. Knowledge of
these transfers helps QRadar differentiate
authorized vs. unauthorized actions
speeding incident response.
Detect
credit
card data
Abnormal
DNS
payload
What
user IDs
where
used
Detect PI
data in
flight
Excessive
file
transfers
Detect
watermarks
and
confidential
branding
Where did
the file go
Capture
file
properties
Other
suspect
content
Hunting
for what
else was
exfiltrated
BASIC
ENRICHED
ADVANCED

17. 17 IBM Security
Take your threat detection and risk visibility to new levels
• Quickly and easily discovers insider threats, malware and APTs
• Uncovers hidden risks with automatic visibility of devices, users and applications
• Seamlessly integrated with QRadar lowering costs and increasing threat detection
accuracy
• Easily scales from the smallest to largest network as you grow

18. 18
Agenda
• Introduction
• QRadar overview
• Today’s cyber security challenges
• QRadar Network Insights
• Demo
• Questions and Answers

19. 19
All Originating Email Users

20. 20
Drill down. All Email Sent with attachments

21. 21
Email Senders – Pivot. Analyze. Drill into one email sender

22. 22
File Integrity Hashes

23. 23
Anomaly Incident – Pervasive File

24. 24
Another Example
Begin with a Chained Incident – Phishing and Lateral Movement

25. 25
Where did the attacker hop to?

26. 26
Who sent the phishing email?

27. 27
What was the email attachment?

28. 28
Who else received the same phishing email?

29. Questions and Answers
IBM QRADAR NETWORK INSIGHTS

30. ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU

31. Additional Use Cases
IBM QRADAR NETWORK INSIGHTS

32. 32 IBM Security
Covering the threat lifecycle: Malware detection and analysis
Malware is pervasive
“600%+ increase in attachment-based
versus URL delivered malware attacks
from mid 2014 to 2015”
- Proofpoint
“50% increase in email attacks where
macros are the method of infection”
- Clearswift.com
No file goes unnoticed
QRadar Network Insights knows the details of
every file; from the file name, type, entropy,
embedded scripts and file hash to where it
came from and where it was sent.
With QRadar and Threat Intelligence from
X-Force Exchange, it becomes clear when
malware have evaded detection.
Suspect
content
detection
Talking with
malicious
sources
DNS
system
abuse
File type
mismatch
File hash
threat
intelligence
correlation
Embedded
script
detection
Hunting
for where
it went
Pluggable
malware
signatures
BASIC
ENRICHED
ADVANCED

33. 33 IBM Security
Discover what is out there
Uncover what is being used
“50% of organizations don’t know what
they’ve deployed or are using”
Discover the unknown
Automatically discover assets, devices,
servers, services, applications, users,
internet services. Drives improved threat
detection, security and compliance
Detect
credit
card data
Discover
shadow
IT
Find web
apps and
database
Detect
watermarks
and
confidential
branding
Identify
assets
Capture
file
properties
Recognize
services
Discover
services
BASIC
ENRICHED
ADVANCED

34. 34 IBM Security
Improved threat detection with additional context
Reduce the work with better
accuracy
“42% of organizations don’t process a
significant number of alerts”
- ESG research
Too much noise
Lack of important context and results in
security teams being plagued with false
positives. Identifying what assets, devices,
users and applications are on the network
and understanding their behavior patterns,
when analyzed with event data in QRadar
can significantly improve the accuracy of
alerts based on what appears to be
anomalous behaviors
Find web
apps and
db
servers
Discover and
catalogue
servers
Understand
data flow
direction
Discover
services
Record
data
flow
volumes
Evaluate
reputation
Reveal web
Categories
Baseline
normal
behavior
Highlight
sensitive
data
BASIC
ENRICHED
ADVANCED

35. 35 IBM Security
Zero-day threat detection
Rate of new Zero-Day
threats are increasing
“Zero-Day Discoveries A Once-A-Week
Habit”
- Dark Reading
Detect what others miss
Traditional means of detection and
prevention may be blind to new zero-day
attacks, but QRadar Network Insights can
help identify the symptoms to enable
timely detection and remediation.
Application
HTTP
headers
IP
Reputation
New
Connections Beaconing
Baseline
normal
behavior
DNS
Flow
Duration
BASIC
ENRICHED
ADVANCED

36. 36 IBM Security
Managing social media risk
Social media is becoming a
favored tool for attacks
“160,000 Facebook pages are hacked a
day”
- New York Post
Social media is important but
risky for businesses
Whether threat actors use it for phishing, a
channel to distribute malware, or to gain
identity or passwords information, social media
usage (whether sanctioned or not) poses a
threat to businesses.
Personal use of social media can easily cross
boundaries that compromise your company’s
reputation, your assets and your customers.
Real-time contextual content analysis is key
for detect usage that has simply gone too far.
Application
Content
and
Context
Phishing
Detection
URLs Malware
Detection
Usage
vs.
Policy
Detect
sensitive
data
BASIC
ENRICHED
ADVANCED