PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



QRadar Flows Datasheet .pdf


Original filename: QRadar Flows Datasheet.pdf
Title: IBM Security QRadar QFlow Collector appliances for security intelligence

This PDF 1.4 document has been generated by Adobe InDesign CS5 (7.0) / Adobe PDF Library 9.9, and has been sent on pdf-archive.com on 27/06/2016 at 22:42, from IP address 201.64.x.x. The current document download page has been viewed 1114 times.
File size: 1.3 MB (8 pages).
Privacy: public file




Download original PDF file









Document preview


IBM Software

IBM Security QRadar QFlow Collector
appliances for security intelligence
Advanced solutions for the analysis of network flow data

January 2013

2

IBM Security QRadar QFlow Collector appliances for security intelligence

Security intelligence through increased
network visibility
As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity has
become an imperative. Attacks and breaches have become more
sophisticated, attackers now pursue targets of choice rather
than targets of opportunity, and the consequences can include
significant brand and financial damage or risk to critical
infrastructures.
Distinguishing itself from first-generation log management and
security information and event management (SIEM) solutions,
IBM® Security QRadar® SIEM delivers security intelligence
by correlating logs with network flows and a multitude of
other data, presenting all relevant information on a single screen.
When used with IBM Security QRadar QFlow Collector appliances or IBM Security QRadar VFlow Collector appliances,
QRadar SIEM provides Layer 7 application visibility and flow
analysis to help you fully understand and respond to activity
taking place within your network. With these solutions, you can
detect threats that other solutions might miss, ensure policy and
regulatory compliance, and minimize risks to mission-critical
services, data and assets.

The importance of network flow data
Network flow data covers the set of packet exchanges or
“conversations” between devices on a network. A network
f low record provides information about a specific conversation
between two devices using a specific protocol, and can include
many fields that describe the interaction. These characteristics
include source and destination IP addresses, protocol transport
such as User Datagram Protocol (UDP) or Transmission
Control Protocol (TCP), source and destination ports, application information, traffic statistics, quality of service and, in some
cases, actual packet payload.
While a number of f low formats exist today, including NetFlow,
J-Flow and sFlow, they typically stop at Layer 4 and provide
only network-level IP address and UDP/TCP port-level information. This capability is useful for obtaining a general

understanding of the conversations occurring on well-defined
protocols; however, the pre-summarized and static data from
sources such as NetFlow and J-Flow does not provide deep
visibility into network activity and applications.

QRadar QFlow and VFlow Collector
technology
To really understand what’s happening within their networks,
security teams need the ability to look into communications at a
much richer level. They need to see beyond simply who is participating in an exchange and discover when the content of these
interactions includes such recognizable data patterns as social
security numbers, credit card numbers, text—including terms
like “ID” or “password”—or other protected information.
The QRadar QFlow Collector solution, paired with QRadar
flow processors, provides this application layer (Layer 7) visibility, as well as classification of stateful applications and protocols
such as voice over IP (VoIP), multimedia, enterprise resource
planning (ERP), database, and hundreds of other protocols and
applications. Application-aware flow data is obtained from a
deep examination and inspection of every packet, which also
allows for advanced threat detection through analysis of packet
payload content. Correlating this flow information with network
and security events, vulnerabilities, identity information and
threat intelligence is the optimal way to obtain a complete and
accurate view of an organization’s security posture.
Because virtualized server traffic cannot be collected using
traditional monitoring technologies, IBM offers QRadar VFlow
Collector solutions to monitor virtual environments. QRadar
VFlow Collectors provide application-layer visibility into all
virtual network traffic for advanced security intelligence, with
support for VMware virtual environments that enables the
profiling of more than 1,000 applications out of the box. This
solution can also analyze port-mirrored traffic for a physical
network switch, which helps bridge the gap between the physical
and virtual realms. In addition, QRadar VFlow Collectors run
on the virtual server and do not require additional hardware,
making them a highly cost-effective solution.

IBM Software

QRadar QFlow and VFlow Collector
use cases
QRadar SIEM with QRadar QFlow and VFlow Collectors
supports five key use cases:
●● ●

●● ●

●● ●

●● ●

●● ●

Detection of zero-day threats through traffic profiling:
Detection of malware and virus/worm activity through behavior profiling and anomaly detection across all network traffic,
including applications, hosts, protocols and network areas
Compliance with policy and regulatory mandates via deep
analysis of application data and protocols: Alerts about
out-of-policy behavior and traffic, such as traffic being sent to
untrustworthy geographical regions or transmissions using
unsecure protocols
Social-media monitoring: Anomaly detection and deep
packet inspection-based content capture that identifies and
alerts security teams about social media-related threats
and risks
Advanced incident analysis via correlation of f low data
with log data: Accurate prioritization of incident data and
reduction of false positives by correlating security events with
actual network traffic
Continuous profiling of assets: Collection and monitoring
of continuous information feeds from hosts, assets and services, enabling QRadar SIEM to automatically identify and
classify new assets and discover which ports and services they
are running

Detection of zero-day threats that others miss
QRadar QFlow Collectors use flow data to detect new security
threats without the use of vulnerability signatures, so you can
rely on them to identify changes in network traffic and threats
often missed by other anti-virus and security systems. Use examples include unfamiliar or new service or protocol additions,
such as a mail server installed in a demilitarized zone (DMZ); a
File Transfer Protocol (FTP) service on a server not designated
for outbound data transfers; the failure of a web server service
that previously delivered upon 100 percent of requests; or the
change in activity level of any commonly used services.

Time profiles of different anomalies that
can be detected with flow data
New services on the network
Long-term traffic profile

Short-term traffic profile

Sudden increase in service activity
Long-term traffic profile

Short-term traffic profile

Sudden decrease in service activity
Long-term traffic profile

Short-term traffic profile

QRadar SIEM with QRadar QFlow and VFlow Collectors can help detect
anomalies based on activity baselines, providing organizations with the
analytics necessary to identify and gain insight into suspicious behavior.

For example, the Secure Shell (SSH) data transit security protocol might be installed on the corporate mail server, but only
used a few times a week. If a malicious user were to suddenly
exploit the server and utilize the SSH service as a jumping
point to exploit other servers, QRadar QFlow Collectors would
immediately detect the activity and issue an alert.

3

4

IBM Security QRadar QFlow Collector appliances for security intelligence

Policy and regulatory compliance
Use case: Manufacturer detects a previously overlooked
worm
A global auto manufacturer analyzed flow data to identify a worm
outbreak affecting its production facility that was missed by other
signature-based detection sources. Using QRadar SIEM with QRadar
QFlow Collectors, the company’s security analyst saw Telnet sessions
rapidly decrease on the local hosts while simultaneous activity through
Microsoft Windows network ports dramatically increased. Working
with IT operations, the analyst immediately remediated the vulnerability, preventing widespread damage.

First-generation log management and SIEM products are simply
no longer sufficient for today’s compliance needs. Requirements
such as the Payment Card Industry Data Security Standard
(PCI DSS), for one, require application-aware monitoring and
visibility—unattainable through basic log analysis. Businesses
need technology like that provided by QRadar SIEM with
QRadar QFlow Collectors to:
●● ●

●● ●

●● ●

Detect applications running over non-standard ports
Identify users logging on to critical servers with clear-text user
names and passwords
Ensure usage of encrypted protocols in sensitive areas of
the network

QRadar SIEM with QRadar QFlow and VFlow Collectors provide Layer 7 visibility to help organizations identify covert threats such as botnet IRC traffic.

IBM Software

Use case: Healthcare provider prevents loss of patient data
A major healthcare provider significantly reduced its financial and
reputational risk through the use of QRadar SIEM with QRadar QFlow
Collectors. The system detected unencrypted patient data being
passed in the clear after a patch was applied to a critical system. Due
to the rapid detection, the organization quickly remediated this risk
and avoided potential penalties.

One common scenario involves botnet communication channels
(IRC traffic) running over port 80 (web traffic). Through content inspection, covert IRC channels and communications are
detected and captured for forensic evidence, and alerts are issued
on the behavior. Solutions using only NetFlow data would
simply view this as normal web traffic and completely miss the
botnet activity.

Social media monitoring
Social media is an increasing risk to your organization’s data and
assets, as employees can easily fall victim to social engineeringbased threats and unwittingly serve as entry points for advanced
persistent threats. In response, you need new tools to combat
these threats. QRadar QFlow Collectors address this need
through native capabilities for deep packet inspection and
content capture, enabling you to see social media usage on your
networks and determine the risks arising from these applications.
The combination of QRadar SIEM and QRadar QFlow
Collectors enables users to monitor activity on social media
platforms and multimedia applications. The solution’s anomaly
detection and deep packet inspection-based content capture
make it easy to detect web-based malware, identify vulnerabilities introduced to the environment from social media applications, and monitor and alert on the information users are
making public—all in real time. You can identify which users are
accessing each social media service, determine their patterns of
usage, and monitor and alert on the content being transmitted to
those services.

5

Social media usage can also be correlated against other network
and log activity within an organization. For example, the transmission of data to a social media site immediately following a
user’s unusual accessing of a sensitive internal resource might
signal a questionable activity to investigate. QRadar SIEM with
QRadar QFlow Collectors combines flow-based application
visibility and advanced in-memory correlation capabilities to give
you a comprehensive, accurate and actionable view of security
threats and risks affecting your network.

Use case: Construction distributor meets compliance
mandates
A large plumbing, heating, HVAC and industrial-pipe distributor
originally deployed the IBM QRadar Security Intelligence Platform to
meet PCI DSS compliance mandates and ease the auditing process.
Over time, the company expanded its deployment to monitor
social networking usage, and now uses QRadar SIEM with QRadar
QFlow Collectors to ensure its customers’ personally identifiable
information is not shared outside of the company—which moves its
security posture from “check-box” compliance to proactive security
intelligence and threat detection.

“If we didn’t have QRadar SIEM with
QRadar QFlow Collectors to help analyze
the mountains of application traffic coming
into and out of our network, it would have
been nearly impossible to identify the
anomalies that the company viewed as
threats. With QRadar SIEM, we can take
any network behavior and look back to get
information about its relative importance to
the company’s overall security posture.”
—An information security engineer, food service distributor

6

IBM Security QRadar QFlow Collector appliances for security intelligence

Advanced incident analysis and insight
Using QRadar solutions, you can perform real-time comparisons
of application flow data with log source events sent from security devices, which can help you to better understand what’s
happening on your network. This powerful correlation between
log and flow data can help your organization identify serious
threats that might otherwise go undiscovered.

Use case: Multinational firm finds and stops botnets
A leading multinational corporation with an 80,000-host network used
QRadar SIEM with QRadar QFlow Collectors to discover a botnet
infection that existing anti-virus and anti-malware solutions didn’t
detect. The QRadar solution identified a small number of daily .gif
transfers to external hosts known to be botnet command-and-control
servers. The infection was detected, the company re-imaged the hosts,
and the activity disappeared.

“While SIEM technology has been widely
deployed for network security monitoring, log
management and compliance reporting,
changes in the threat environment are
driving new monitoring requirements for
application and user activity and data access.
Support of the new use cases will require the
addition of user, data and application context
to the broad-scope event monitoring that is
provided by SIEM. Organizations should
integrate context sources for each of these
areas with their SIEM deployment.”
—Gartner, Inc., “Effective Security Monitoring Requires Context,” Mark Nicolett,
January 16, 2012

An example of this involves a typical backdoor exploit event
received from an intrusion detection system. Information from
the event, such as the attacking IP, target IP and port information, can be used to automatically begin filtering the actual
network communications. Flow data is analyzed to ascertain
whether this traffic is normal or whether the target is communicating with an attacking IP using a previously unobserved
service. Such flow-based correlation rules both eliminate false
positives and raise the relevance and credibility of a real attack.

Continuous profiling of assets
QRadar solutions automatically identify and classify new assets
found on the network and discover which ports and services they
are running. They can alert you when new systems or services
are added, and also watch for configuration changes to existing
services. These capabilities provide a complete view of your network and improve the prioritization of security incidents.

Use case: Utility company automatically tracks thousands
of assets
A major US utility company deployed QRadar SIEM with QRadar
QFlow Collectors to improve its enterprise-wide security posture, and
within hours of starting to monitor flow traffic, the QRadar solution
identified thousands of devices and assets. In short order, the company found a number of servers with security risks it would not have
discovered through log event monitoring alone. It now relies on QRadar
SIEM to continuously identify new assets and risks, and to respond
appropriately.

IBM Software

7

Conclusion

For more information

With the growing sophistication and frequency of threats,
you need deeper visibility and actionable intelligence for your
network environment. QRadar SIEM with QRadar QFlow and
VFlow Collectors uses network- and application-aware flow
data to deliver an advanced security intelligence solution that
encompasses both physical and virtual resources. The solution
more accurately detects and prioritizes security incidents by
inspecting packet-level payload information and placing it in the
appropriate context.

To learn more about IBM Security QRadar SIEM, IBM Security
QRadar QFlow and VFlow Collector technologies, please
contact your IBM representative or IBM Business Partner, or
visit: ibm.com/security

Combining Layer 7 application flow data, Layer 4 network flow
data, log/event data and asset data, this next-generation QRadar
SIEM solution quickly surfaces prioritized and actionable
offenses to your network and security operations teams via a
common console. This advanced yet easy-to-implement solution
helps you better detect and remediate threats, enforce policies
and minimize risk to your mission-critical IT systems.



Please Recycle

WGB03005-USEN-00


Related documents


qradar flows datasheet
qradar datasheet completo
qvm datasheet
qif datasheet wgd03033usen
458087 idc tech spotlight new ddos defense final
fortinet application control


Related keywords




Copy tag