IBM Security Systems

QRadar Multi-Tenanted and MSSP

Solution Overview

Feb, 2015

©12015 IBM Corporation

IBM Confidential © 2012 IBM Corporation
 IBM Security Systems

Disclaimer
IBM’s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM ’s sole discretion.

Information regarding potential future products is intended to outline our general

product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment,

promise, or legal obligation to deliver any material, code or functionality. Information
about potential future products may not be incorporated into any contract. The
development, release, and timing of any future features or functionality described for
our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM

benchmarks in a controlled environment. The actual throughput or performance that
any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user's job stream, the
I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.

2 © 2015 IBM Corporation

 IBM Security Systems

Overview

 Many organizations have overlapping IP address spaces and multiple Qrada

systems deployed based on business requirements and in country compliance
requirements
 MSSPs and Organizations with shared infrastructure
– Characterised by multiple companies/departments accessing a single service
– Requirements to restrict access other companies/departments event data
– Infrastructure requires both multi-tenanted and single tenanted solutions

3
IBM Confidential © 2015 IBM Corporation
 IBM Security Systems

Multi-Tenant, MSSP and Multi Region Solutions (2014-2015)

Flexible options based on customer size and requirements

• Master console
• Single monitoring and management console for multiple consoles
• Multi-tenant capability
• Overlapping IP support, Address Domains, Security

 Single offense view

 System health
Master
Console  Content management

Regional
NOC / SOC Team

Network A Network B Network C Network D Network E

4 © 2015 IBM Corporation

 IBM Security Systems

Master Console – Single view and management of 100’s of QRadar

Systems

7.2.5
• Centralized health view
and system monitoring

7.2.5 +
• Centralized offense view
and management
• Content Management
• Log Source Management
• Rules
• Reports
• Saved Searches
• Dashboards
• User Accounts
• Federated Search
• Seat Management

5 © 2015 IBM Corporation

 IBM Security Systems

An Example Multi-tenanted QRadar Deployment

Console
Local
Collectors

Processors + Processors +
Data Nodes Data Nodes
Customer/Unit/Region A
VPN

VPN
Y Local
Collectors

Collectors
z

Shared
Services Customer/Unit/Region B
6
IBM Confidential © 2015 IBM Corporation
 IBM Security Systems

Example deployment overview

 A single managed SIEM service monitoring 3 networks

– 2 Customer networks
– 1 Shared service networks
• Services Y and Z are shared between the two customers
• Service X is only for customer B
– Customers are accessing shared services via a VPN connection
– The address space between the networks is not unique (i.e. the same IP addresses exist
in more than one network)
 Managed SIEM service is
– Providing compliance/usage/security reports and alerts to customers
– Portal access

7
IBM Confidential © 2015 IBM Corporation
 IBM Security Systems

Phase One - QRadar 7.2.3 – August 2014

• Domain definition and tagging for events

• Search and filtering

©82015 IBM Corporation

IBM Confidential © 2012 IBM Corporation
 IBM Security Systems

QRadar Domains - Simple and Flexible

 Domain definition based on a wide variety of parameters:
• Custom Property Value (RegEx)
• Log Source/Log Source Group
– Event Collector
 Centralized UI provides single point of configuration for all Domain information
 Quick visualization of all configured Domains.

9 © 2015 IBM Corporation

 IBM Security Systems

Shared QRadar Infrastructure – Custom Property Values

 Domains defined based on custom property values (regex)
 Enables segmentation of shared infrastructure such as IDS/IDP systems
 Based on QRadar Reference Data Collections and can be easily
manipulated through QRadar RESTful APIs

Event
Collector

Event
Collector/Processor
Console
Client A

LS

IDS

14/01/2013 10:39 user= chris action=edit sourceip=10.0.2.31 destip=10.0.1.10

14/01/2013 10:41 user=john action=delete sourceip=10.0.2.32 destip=10.0.1.10
14/01/2013 11:41 user=chris action=edit sourceip=10.0.2.32 destip=10.0.1.10
Event
Collector

Client B

10 © 2015 IBM Corporation

 IBM Security Systems

Shared QRadar Infrastructure – Log Source Separation

 Domains defined at the log source or log source group level
 Enables the use of shared QRadar infrastructure for multi-domain collection

Event
Collector

Event
Collector/Processor
Console
Client A

LS
LS

Event
Collector

Client B

11 © 2015 IBM Corporation

 IBM Security Systems

Dedicate Event Collection

 Domains contain dedicated Event Collectors
 Future Proof – Easily grow collection needs without complex reconfiguration
 Dedicated work load – Ideal MSS service offering format

Event
Collector

Client A

Event
Processor
Console

Event
Collector

Client B

12 © 2015 IBM Corporation

 IBM Security Systems

Domain Data Available in QRadar

13 © 2015 IBM Corporation

 IBM Security Systems

Phase Two - QRadar 7.2.4 – November 2014

• Domain definition for flows

• Network hierarchy
• Correlation engine

©14
2015 IBM Corporation
IBM Confidential © 2012 IBM Corporation
 IBM Security Systems

Domain Definition: By Flow Collector or Source

15 © 2015 IBM Corporation

 IBM Security Systems

Network hierarchy – Address domain support.

 Network hierarchy nodes are

assigned a domain
 Overlapping IP addresses can be
defined in different hierarchy
nodes with different domains
 IP addresses in Events and
Flows automatically associated
with the correct network
hierarchy

16
IBM Confidential © 2015 IBM Corporation
 IBM Security Systems

Domain support in rules

 Correlation engine
 Automatically
recognizes domains
 E.g. won’t correlate
the same IP
addresses from
different domains

17 © 2015 IBM Corporation

 IBM Security Systems

Phase Three - QRadar 7.2.5 – May 2015

• Security profile
• Asset Profiling
• Offenses
• Vulnerability management

©18
2015 IBM Corporation
IBM Confidential © 2012 IBM Corporation
 IBM Security Systems

Security Profile Domain Support

 Security Profile can be

restricted to one or more
domains
 Security profile will
restrict access to flows,
events, assets, and
offenses based on
domain

19 © 2015 IBM Corporation

 IBM Security Systems

Offense Domain Support

 Domain information carried all the way through to offenses

20 © 2015 IBM Corporation

 IBM Security Systems

Asset model Domain Support

 Each asset is assigned a domain

 Assets can have overlapping IP Addresses

21 © 2015 IBM Corporation

 IBM Security Systems

Vulnerability Manager

 Scanners are mapped to a domain

 Each scan result associated with a
single domain
 Scan results map to assets in
correct domain in the asset model

22 © 2015 IBM Corporation

 IBM Security Systems

Summary

 First phase has been delivered in 7.2.3

 No major re-architecting of QRadar
 Builds on existing QRadar functionality
– Security Profile
• Currently supports log source, and Network, Domain
being added
– Asset Model
• Since 7.2 Each asset uniquely identified with its on
unique ID (not IP)

23
IBM Confidential © 2015 IBM Corporation
 IBM Security Systems

ibm.com/security

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is
provided AS IS w ithout w arranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherw ise related to,
these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any w arranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM so ftw are. References in these materials
to IBM products, programs, or services do not imply that they w ill be available in all countries in w hich IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any w ay. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of
others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper
access from w ithin and outside your enterprise. Improper access can result in information being altered, destroyed or misappr opriated or can result in damage to
or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure
can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensiv e security approach, w hich w ill
24 necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT ©WARRANT2015 IBM Corporation
THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.