IBM Security QRadar SIEM and Cisco IronPort
IBM QRadar Security Intelligence Platform integrates with Cisco IronPort (WSA and
ESA) to help customers with their most challenging use cases.
QRadar SIEM provides
• Integrated log, threat, compliance management
• Asset profiling and flow analytics
• Offense management and workflow
QRadar SIEM allows single pane troubleshooting of issues to create a Security
Operations Center. Its powerful rules engine correlates data, detects anomalies and
generates a manageable list of the highest priority risks requiring forensic investigation
and remediation. QRadar SIEM derives value by working with best of breed products.
Cisco IronPort provides QRadar with a rich source of contextual data that can be
correlated with other data sources and used by our out of the box rules and reports.
The Cisco Web Security Appliance (WSA) is the first secure web gateway to combine
advanced malware protection, application visibility and control, acceptable use policy
controls, insightful reporting, and secure mobility on a single platform, helping
organizations address the growing challenges of securing and controlling web traffic.
The Cisco WSA enables simpler, faster deployment with fewer maintenance
requirements, reduced latency, and lower operating costs. “Set and forget” technology
frees up staff once initial automated policy settings go live, and automatic security
updates are pushed to network devices every three to five minutes. Flexible deployment
options and integration with the existing security infrastructure help customers meet
demanding business needs.
Cisco® Email Security solutions defend mission-critical email systems with appliance,
virtual, cloud, and hybrid solutions. The industry leader in email security solutions,
according to an Infonetics Research 2013 study, Cisco delivers:
● Fast, comprehensive email protection that blocks spam, malware and other threats
while providing protection before, during, and after an attack
● Flexible cloud, virtual, and physical deployment options to meet your ever-changing
business needs
● Outbound message control through on-device data loss prevention (DLP), email
encryption, and optional integration with the RSA enterprise DLP solution
● One of the lowest total cost of ownership (TCO) email security solutions available
Cisco’s all-in-one solution offers simple, fast deployment, with few maintenance
requirements, low latency, and low operating costs. Our set-and-forget technology frees
your staff after the automated policy settings go live. The solution then automatically
IBM Security QRadar SIEM and Cisco IronPort
forwards security updates to Cisco’s cloud-based threat intelligence solution. This threat
intelligence data is pulled by the Cisco Email Security Appliances (ESAs) every three to
five minutes, providing you with industry-leading threat defense hours or days before
other vendors. Flexible deployment options and smooth integration with your existing
security infrastructure make Cisco Email Security an excellent fit for your business
needs.
The following use cases are examples of how QRadar can leverage the value of IronPort
which customers have already invested and deployed throughout their infrastructure.
IBM Security QRadar and Cisco combine to enable customers to reach compliance and
security goals, and reduce the risk and severity of security breaches.
1. Malware outbreak prevented
A large educational institute is running Cisco ESA, WSA and QRadar. Cisco
sends QRadar 3 antivirus warning events from across the campus within a 3
minute period. QRadar correlates this with XForce Reputation data and generates
an offense because the source IP address of the virus alerts matches that of a
known malware site. The security analyst notified of this offense takes action to
modify the WSA policy to prevent future malware attacks.
2. Spam campaign stopped and Personally Identifiable Information leak
prevented
A province-wide health provider is running Cisco Ironport and QRadar. ESA
sends QRadar an alert that Spam has been detected going to the executive team
and the Health Records department. When QRadar correlates this activity with a
file access alert on the Health Record file share, it generates an offense. The SOC
analyst investigates and takes action to ensure the spam is blocked and the file
server is protected, preventing loss of patient information
3. Malware blocked and offending site quarantined
A national financial services organization is running Cisco ESA, IBM Security
Network Protection XGS and QRadar. When their network analyst sees a
malware alert come into QRadar from Cisco ESA, she right-clicks on the event
and sends the IP address to the XGS appliance so that the site can be quarantined.
A short time later, the analyst sees that Cisco ESA is also sending Quarantine
events, and she closes the offense.
Integrating the Cisco Web Security and Email Security solutions with QRadar enables
insight, visibility, and actionable intelligence gleaned through the depth in defense and
comprehensive security services for all web and email traffic extended across the
enterprise to combat complex security threats. QRadar benefits by getting a rich source
of contextual data, enabling QRadar to identify and alert on anomalous behavior and
threats, enabling you to reach your compliance and security goals.