Add to collection(s) Add to saved
  1. No category
Uploaded by alejandro

Demo Script L1 CP4S DataBreach

advertisement 
Cloud Pak for Security – Data Breach Demo
On the landing page for CP4S, across the top are the integrated applications. We have many different
ways to find threats,
We have our data Explorer Federated search engine that allows you to search for any indicator
compromise against all of application logs and existing security applications.
We have user behavior analytics powered by , QRadar that looks at user behavior. Are they doing risky
things? If so, you need to act on it.
We have threat intelligent insights that will look at feeds from your security subscriptions like IBM X
force or alienvault and look for those indicators of compromises. And see if you're affected.
We also have a risk manager that will look at your data how at risk that patient database or your
customer database is and give you some guidelines on how you can help protect yourself from a data
breach.
All this information is integrated into our SOAR product case manager, so that way if you find threats
from data Explorer, user behavior, analytics or threat intelligent insights a case will be created. Those
indicators that were found, those artifacts will be added to the case automatically, and workflows and
tasks will be kicked off and now all the stuff your team needs to do to start working the threat is in one
spot in the case.
IBM® QRadar® User Behavior Analytics (UBA) is a tool for detecting insider threats in the customer’s
organization. UBA, used in conjunction with the existing data in the customer’s QRadar system, can help
customers generate new insights around users and user risk.
The UBA Overview page shows you the overall risk data for users in your network and details for the
selected user.
On the UBA screen you then talk about all the things you are looking. How cases are created from
offenses, watch lists, etc.
Then click on user Bill to investigate.
Here you can view UBA and the events and rules that made Bill stand out. Hit the “+” to expand them.
Then hit “-“ to collapse them go into case by click on the case number
You are brought into the case, then click on tasks
Then talk about how workflows were kicked of and part of the mitigation is already done. Then click on
the artifacts tab
Talk about how QRadar automatically added the artifacts. Then click on the hash to show how TII
flagged a couple of the artifacts in red as known external threats.
View Third party threat feeds.
Then go to the QRadar tab to view Case manager pull in all the QRadar info.
You can see other information, such as the first ten events of the QRadar Offense, by scrolling down. You
can also see the rules that contributed to this offense, Destination and Source Ips, Categories, and
Assets.
Scroll down to the ip address and over to show you can add artifacts as need from this page into the
case artifacts.
Click on the actions pull down then workflow status to show what workflows were automatically done
as part of the play book.
Take about the QRadar tasks that were run, integrations with service now and aws. Watch the video for
detail around this on what to say. When done click on the X to close it.
Click on the three dots to do a DE search on our database ip address.
When the results set comes back talk about there are log of them, scroll down and show the first result
is QRadar the next is quadrium and how CP4S brought them all to one unified piece of glass.
Click on analytics to show how the built-in analytics can help you know what to look at in the result set.
Investigate how Bill has a lot of entries in the log, then click on the pull down to pivot our analytics on
the detail.
Analyze potential outliers of data like that a select * from credit card was done. Hover over the select
box and it pops up.
Turn off analytics so we can filter the results on what we learned from analytics.
Click the search box and it will fill in cred which will start the search against all the records. Then check
the box select * from creditcard to go from 4,5K results to 16
Filter with usernanme bill to take the results set down to 2
Expand the result and to view how we can see from Guardium that a query was attempted from the
external ip address against the credit card data base put it was deemed 433128 a policy violation and
Guardium stopped it. We want to share this back with the team so click on the case manager button to
add this to our case.
Click to add the title, description and pick the cae then click add artifact.
To run any AQL query against QRadar, Click on expand top right. Then AQL, then click on Run query
Click to expand the results set then let’s click on the case manager icon to add this artifact to the caser.
Same as last time click on name, description and pick the case then add artifact.
Then click on link to go to the case.
If you want to look at the credit card artifact, we added from Guardium you can click on it.
We did not have a breach in our example because Guardium did its job. But what if there was a breach.
Click on the breach tab to show off the new privacy module for case manager.
Hit Edit to fill out the information on the breach.
Click on each bull down to add the correct information.
Click on contact information
Click on credit card
Check California, New Jersey and New York for where we lost data.
Scroll back to the top and click save
New tasks should appear, click close then go back to the tasks tab to see them.
The tasks were automatically added, and you can see dates were assigned that meets those states laws.
Let’s drill into the NJ state one.
You can see the contact information and what to do. You can click on the source tab to drill in even
closer.
Let’s now go back to the tasks tab and see that there is a task for use to assess our database security
with the new risk manager.
The Risk Manager (Preview) application is in Preview mode in Cloud Pak for Security 1.7.0.
Risk Manager (Preview) provides early visibility into potential security risks by correlating insights from
multiple vectors so that you can prioritize risks to take appropriate remedial actions.
Risk Manager (Preview) is primarily intended for use by security business leaders and security analysts,
but anyone in the security space can gain value from using this application.
Dashboard provides a unified view of disparate risk metrics from multiple sources and multiple vectors
of security to get a high-level overview of the risk posture of an organization.
It provides a two-dimensional heat map representation of critical security risk areas of an organization.
A risk area is a logical group of threats of a similar nature.
The X-axis represents probability or likelihood of a risk area that is happening.
The Y-axis tracks potential impacts to the business.
The heat map helps you quantify your organization's most critical 10 - 15 security risk areas that might
need focus.
The risk manager bubbles show the risk. The father to the right and higher up the more risk. You can
see we are high risk for data lose. Click analyze
Risk manager analysis shows you are risk for large out bound data transfers.
Click on risk trends to see how you are doing over time protecting your data.
You can see we are getting worse over time. Click on resistance to see what the vulnerabilities are.
You can see that Guardium and QRadar data sources are being used to evaluate risk in our environment.
You can see the number of critical, major, minor, etc. risk.
Click on manage inventory to see what database are most at risk.
We are interested in the Oracle credit card database so click the pull down and click on Oracle
You can see the recommendations of things to change to make your data more secure
Now click on the home page to go back to the beginning.
Thanks!!!
Betala R. Shanbhag
Beshanb1@in.ibm.com
Related documents
Name ______________________________________ Block __________ Honors Assessment Project-Connection Outside Artifacts
Name ______________________________________ Block __________ Honors Assessment Project-Connection Outside Artifacts
Why You Should Choose Digital Marketing Services in Dubai
Why You Should Choose Digital Marketing Services in Dubai
Google analytics
Google analytics
Chapter 4 Business alignment
Chapter 4 Business alignment
IBM - Test - C1000
IBM - Test - C1000
C1000-156 QRadar SIEM V7.5 Administrator Sample Test
C1000-156 QRadar SIEM V7.5 Administrator Sample Test
IBM.braindumps.C1000-026.v2021-04-29.by .darcey.28q
IBM.braindumps.C1000-026.v2021-04-29.by .darcey.28q
b qradar ha guide
b qradar ha guide
b siem deployment
b siem deployment
b dsm guide
b dsm guide
QRADAR dsm guide
QRADAR dsm guide
Download
advertisement