Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Solution Brief for ObserveIT Enterprise

advertisement 
IBM Security QRadar SIEM and ObserveIT Enterprise
Introducing new functionality for IBM QRadar Security Intelligence Platform:
integration with ObserveIT Enterprise.
QRadar SIEM provides
• Integrated log, threat, compliance management
• Asset profiling and flow analytics
• Offense management and workflow
QRadar SIEM allows single pane troubleshooting of issues to create a Security
Operations Center. Its powerful rules engine correlates data, detects anomalies and
generates a manageable list of the highest priority risks requiring forensic investigation
and remediation. QRadar SIEM derives value by working with best of breed products.
Here are some real world examples combining these products together:
ObserveIT’s Enterprise solution captures video recording of all user activities and
generates textual audit logs for every application, even those that have no internal logging.
It identifies shared-account users and detects identity theft. ObserveIT Enterprise covers
activity from all sessions, including Windows, Unix, Linux, both servers and desktops, in
all protocols and environments. This provides your organization with visibility to remote
vendor and privileged user activity and allows auditors to replay any session.
The following use cases are examples of how QRadar SIEM can leverage the value of
ObserveIT Enterprise, which customers have already invested and deployed throughout
their infrastructure. The integration of IBM Security QRadar SIEM and ObserveIT
Enterprise enable customers to reach compliance and security goals.
1.
2.
3.
4.
Insider Fraud
Sharing confidential data
Unauthorized access of data
Logs of activity performed on customer systems (MSP use case)
Insider Fraud QRadar SIEM receives Guardium events indicating that a policy
violation has occurred with an unauthorized database change. ObserveIT events indicate
that user John Smith ran a SQL script against PeopleSoft. QRadar SIEM generates an
offense with High Magnitude. SOC personnel right click on the offense to launch
ObserveIT Enterprise and review the video of John Smith’s activity over the past month.
Sharing confidential data - ObserveIT events from a customer’s in-house application
detects unauthorized access to confidential data by user Jane Brown. QRadar correlates
this event to Exchange events indicating that data was emailed outside of the customer
IBM Security QRadar SIEM and ObserveIT Enterprise
network by the same employee. QRadar creates an offense enabling investigation by the
SOC. The analyst filters flows for user Jane Brown and sees that traffic at the time of
the MS Exchange event went to a particular Destination IP. When a WHOIS lookup is
performed on that Destination IP, the result shows that it was to gmail. This is sufficient
reason to look at Jane’s recorded activity in ObserveIT.
Unauthorized Access of Financial Data – A large telecom is running QRadar and
ObserveIT Enterprise. Their SOC sees that QRadar has generated an offense as a result
of 3 failed logins followed by a successful login to the telecom’s financial system.
ObserveIT events alert of exceptional activities by a contractor who has access to the
server housing the financial system. QRadar increases the magnitude of the offense
which results in immediate investigation by the SOC analysts.
Activity Performed on MSP customer assets - An MSP is running ObserveIT
Enterprise to log all activity they perform supporting their customers and the actions they
perform on customer assets. One of their remote support technician logs onto a customer
server to perform troubleshooting tasks and retrieve logs. An hour later, the customer
who has QRadar SIEM, has found that 50,000 records in their event transaction database
have been deleted, but no offense has been generated. An investigation using QRadar
shows that the MSP rep retrieved the logs, and that a privileged user deleted the records
in the database. The analyst takes action to tune the QRadar rules so that such privileged
user activity is detected in the future. The MSP uses ObserveIT to replay the remote
technician’s session on the customer’s system, showing every file, application and
resource the technician used.
These examples show how QRadar can leverage the value of best of breed products you
have already invested in throughout your infrastructure and combine that to enable you to
reach compliance and security goals.
Integrating ObserveIT Enterprise with QRadar enables the visibility of all application and
user activity to be extended across the enterprise to meet complex security threats.
QRadar benefits by getting a logs for applications with no native logging, and enabling
threat detection from even more sources.
Related documents
SIEM Based Intrusion Detection
SIEM Based Intrusion Detection
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for Damballa Failsafe
Solution Brief for Damballa Failsafe
Solution Brief for SourceFire Defense Center
Solution Brief for SourceFire Defense Center
IBM Security Intelligence Platform Integration with FireEye MPS
IBM Security Intelligence Platform Integration with FireEye MPS
Solution Brief for Cisco Ironport
Solution Brief for Cisco Ironport
Solution Brief for Fidelis XPS
Solution Brief for Fidelis XPS
IBM - Test - C1000
IBM - Test - C1000
C1000-156 QRadar SIEM V7.5 Administrator Sample Test
C1000-156 QRadar SIEM V7.5 Administrator Sample Test
Why SIEM Implementations Fail?
Why SIEM Implementations Fail?
IBM 000 196 IBM Security QRadar SIEM V7
IBM 000 196 IBM Security QRadar SIEM V7
b qradar ha guide
b qradar ha guide
Download
advertisement