mss architect using ibm q-radar
DESCRIPTION
MSS Architect Using IBM Q-radarTRANSCRIPT
© 2014 IBM Corporation
2014 보안 위협 동향과 내부 통제를 위한 IBM 의 제언2014 년 5 월 20 일
Security Framework with Q-radar
김도형 Manager (SK Planet)
© 2014 IBM Corporation2
About me
SK Planet
MSS & Security for Public service and IDC
POSCO
Enterprise Security Program & Governance
NCA
KIX, NCA-SIGN, Web-Hostng for Public Service
Government Policy Advisory
KISA
Standardization, Krcert/CC
Army
Network & Server administrator
© 2014 IBM Corporation3
Agenda1. Introduction
2. Security Threat Landscape
3. Security Threat Detection
4. Security Monitoring & Response
5. Security Portfolio & Q-radar Implementation
6. Hurdle
7. Q & A
© 2014 IBM Corporation4
About SK Planet
History : SK M&C(2008.4) + SK Planet(2011.10)
Mission : HUG
Business Area
– Digital Contents : T Store, hoppin, T Cloud, Tictoc, Cyworld, Nate, NateOn, Cymera
– Integrated Commerce : 11st, Gifticon, Smart Wallet, Paypin, Styletag, T Shopping
– Marketing Communication : OK Cashbag, BENEPIA
– Location Based Service : T Map, picket, OK Map, NaviCall
– Advertising
Affiliates : SK Communications, Commerce planet, M & Service
Introduction
© 2014 IBM Corporation5
IT are varying and threats are evolving.
Security Threat Landscape
Ref : http://blogs.cisco.com
© 2014 IBM Corporation6
Threats are widespread and protection can be changed
Security Threat Landscape
Ref : 2012 ENISA Threat Landscape report
Ref : Modification of IPA Report
© 2014 IBM Corporation7
Morris worm and CERT®
Security Threat Detection
Staff
Procedure
Technology
© 2014 IBM Corporation8
Quiz
Security Threat Detection
© 2014 IBM Corporation9
What are necessary and sufficient conditions for security monitoring & response ?
Security Monitoring & Response
Staff
Procedure
Technology
- Vulnerability Management
- IDS & IPS Operation
- Log management & Co-relation
- Security Insight
IBM Security Portfolio
- Internet Security Systems
- Watchfire (Appscan)
- RealSecure (Proventia)
- Q-radar (EP, FP, VM, RM, Forensic, etc)
- X-force
© 2014 IBM Corporation10
Comparison
Security Monitoring & Response
Airport Inspection MSS
Traveler Who/What Internal Asset
Pre-existing conditions Symptoms Vulnerability
Thermal detection sensor Tools IDS / IPS
In-depth Inspection Responses ?
Risk ManagementPost-mortem ?
Advance-knowledge ?
Government Policy ?
Triage
© 2014 IBM Corporation11
Why do you think Q-radar is special ?
Security Portfolio & Q-radar implementation
Co-relation
(Q-Radar)
Logs
Asset
Network Hierarchy
Network Flow (Q flow : IPFIX, J/N/S/flow)
Vulnerability(QVM)
Risk& Config(QRM)
Offense(Ticket)
NBAD(Threshold) Threat Insight
Black list
© 2014 IBM Corporation12
Why do you think Q-radar is special ?
Security Portfolio & Q-radar implementation
Ref : Youtube(Jose Bravo)
© 2014 IBM Corporation13
How do we as a customer rather than a solution provider monitor threats ?
Hurdle
Staff- Technical education & training
Procedure- Process Integration with solutions
Technology
- Vulnerability Management
- IDS & IPS Operation (Local
Vendor)
- Log management & Co-relation
- Security Insight
- Risk Management
IBM Q-radar ( + 3 Party)
- QVM (+ 3 party)
- DSM (Ex : IDS + 3 party)
- Event Processor (Q-radar default)
- X-force Premium Service
- QRM
Enterprise environment
- Internal Asset, Network Hierarchy
- Network Operation & Devices
- Log source & normalization
© 2014 IBM Corporation14
A few difficulties In the real world to implement security monitoring and response
Concept VS Implementation
Tailored process
Ticket
Rule & Methodology
QID Mapping & Normalization
Hurdle
© 2014 IBM Corporation15
feel free to ask questions and share the idea
Q & A
© 2014 IBM Corporation16
End of Presentation