Solution Brief for Damballa Failsafe

advertisement
IBM Security QRadar SIEM and Damballa Failsafe
IBM QRadar Security Intelligence Platform integrates with Damballa Failsafe to help
customers with their most challenging use cases.
QRadar SIEM provides
• Integrated log, threat, compliance management
• Asset profiling and flow analytics
• Offense management and workflow
QRadar SIEM allows single pane troubleshooting of issues to create a Security
Operations Center. Its powerful rules engine correlates data, detects anomalies and
generates a manageable list of the highest priority risks requiring forensic investigation
and remediation. QRadar SIEM derives value by working with best of breed products.
Damballa Failsafe provides QRadar with a rich source of contextual data that can be
correlated with other data sources and used by our out of the box rules and reports. Here
are some real world examples combining these products together:
Today’s threats evolve constantly. Prevention tools, like anti-virus, firewalls and
sandboxes, can’t stop infections they haven’t seen before. Damballa Failsafe fills the gap
between failed prevention and your incident response. Damballa Failsafe is an automatic
breach defense system that detects successful infections with certainty, terminates their
activity and gives responders the ammunition needed to rapidly prevent loss.
The following use cases are examples of how QRadar can leverage the value of Failsafe
which customers have already invested and deployed throughout their infrastructure.
IBM Security QRadar and Cisco combine to enable customers to reach compliance and
security goals, and reduce the risk and severity security breaches.
1. Identify Infected devices with certainty
One of the region’s top 10 banks is running Damballa Failsafe and IBM Security
QRadar SIEM. Failsafe sends QRadar an event confirming that a malicious file
was executed on one of the bank’s on-line banking servers. QRadar sees that the
server is one of the bank’s critical assets. QRadar immediately sends an alert to
the bank’s incident response team member responsible for the host, notifying
them that a magnitude 10 offense occurred. That individual takes action to clean
the infected host.
2. Prioritize remediation based on the highest risk devices
A leading retailer’s QRadar SIEM receives Failsafe events indicating that
multiple hosts receiving POS data have connected to a Command and Control
server. At the same time QRadar sees network traffic that these hosts are
IBM Security QRadar SIEM and Damballa Failsafe
exhibiting behavior indicative of automated activity, and issued an HTTP request
to potentially harmful site. QVM shows that 2 of these hosts have vulnerabilities.
QRadar generates an offense and the Retailer’s SOC analyst knows that those 2
hosts must be patched immediately.
3. Reduce magnitude of offense due to remediation.
QRadar running at a mid-sized manufacturing company receives a Failsafe event
at 2:00 am indicating their server hosting new product plans has been infected by
malware. QRadar sends an email to the security analyst. An hour later, Failsafe
reports that the asset has been remediated. QRadar reduces the magnitude of the
offense and sends another email to the analyst so they are aware no action is
required.
These examples show how QRadar can leverage the value of best of breed products
customers have already invested in throughout their infrastructure and combine that to
enable them to reach compliance and security goals.
Integrating Failsafe with QRadar enables customers to Detect, Respond and Recover
rapidly across the enterprise.
Download