IBM QRadar - Introduction

3 min read

  本文是 IBM QRadar 演示 PPT No.1《Introduction to QRadar》的学习笔记,内容仅供学习交流,IBM QRadar 官方文档。若想学习 IBM QRadar 相关内容,建议咨询 IBM 官方。

An integrated and intelligent security immune system

一个中心:Security Analytics and Orchestration

  1. Cognitive security
  2. Vulnerability management
  3. Threat and anomaly detection
  4. User behavior analysis
  5. Incident response
  6. Threat hunting and investigation


  1. Network
    1. Network froensics and threat management
    2. Firewalls
    3. Sandboxing
    4. Virtual patching
    5. Network visibility and segmentation
  2. Advanced Fraud
    1. Fraud protection
    2. Criminal detection
  3. Identity and Access
    1. Privileged identity management
    2. Entitlements and roles
    3. Access management
    4. Identity management
  4. Cloud
    1. Cloud access security broker
    2. Workload protection
  5. Data and Apps
    1. Data monitoring
    2. Data access control
    3. Application scanning
    4. Application security management
  6. Mobile
    1. Transaction protection
    2. Device managemnet
    3. Content security
  7. Endpoint
    1. Endpoint detection and response
    2. Endpoint patching and management
    3. Malware protection
  8. Threat Intelligence
    1. IP reputation
    2. Indicators of compromise
    3. Threat sharing
  9. Security Ecosystem

IBM security immune system portfolio

一个中心:Security Analytics and Orchestration

  1. Cognitive security - QRadar Advisor with Watson
  2. Vulnerability management - QRadar Vulnerability / Risk Manager
  3. Threat and anomaly detection - QRadar SIEM
  4. User behavior analysis - QRadar User Behavior Analytics
  5. Incident response - Resilient Incident Response
  6. Threat hunting and investigation - i2 Enterprise Insight Analysis


  1. Network
    1. QRadar Network Security(XGS)
    2. QRadar Incident Forensics
  2. Advanced Fraud
    1. Trusteer Pinpoint
    2. Trusteer Mobile
    3. Trusteer Rapport
  3. Identity and Access
    1. Identity Governance and Access
    2. Privileged Identity Manager
    3. Cloud Identity Service
    4. zSecure
  4. Cloud Cloud Security
  5. Data and Apps
    1. Guardium
    2. Key Manager
    3. AppScan
  6. Mobile MaaS 360
  7. Endpoint BigFix
  8. Threat Intelligence X-Force Exchange
  9. Security Ecosystem App Exchange

The QRadar Ecosystem – Intelligent Detection

  1. Predict and prioritize security weaknesses
    • Gather threat intelligence information
    • Manage vulnerabilities and risks
    • Augment vulnerability scan data with context for optimized prioritization
    • Manage device configurations (firewalls, switches, routers, IPS/IDS)
  2. Detect deviations to identify malicious activity
    • Establish baseline behaviors
    • Monitor and investigate anomalies
    • Monitor network flows
  3. React in real time to exploits
    • Correlate logs, events, network flows, identities, assets, vulnerabilities, and configurations, and add context
    • Use automated and cognitive solutions to make data actionable by existing staff

What is Security Intelligence?

The real-time collection, normalization, and analytics of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise

IBM QRadar Vulnerability Manager

Scan, assess, and remediate vulnerabilities

  • Contains an embedded, well proven, scalable, analyst recognized vulnerability detection engine that detects more than 70,000 vulnerabilities
  • Integrates into the QRadar ecosystem
  • Is present on all QRadar event and flow collector and processor appliances (QRadar 7.2 and up) as well as QRadar data nodes (QRadar 7.2.8 and up)
  • Integrates with endpoint management (IBM BigFix), web application security (IBM AppScan), database security (IBM Guardium), and network management (IBM Security SiteProtector)
  • Leverages QRadar Risk Manager to report which vulnerabilities are blocked by your IPS and FW
  • Uses QFlow report if a vulnerable application is active
  • Presents a prioritized list of vulnerabilities you should deal with as soon as possible

IBM QRadar Risk Manager

Scan, assess, and remediate risks

  • Network topology model based on security device configurations enables visualization of actual and potential network traffic patterns
  • Policy engine correlates network topology, asset vulnerabilities and configuration, and actual network traffic to quantify and prioritize risk, enabling risk-prioritized remediation and compliance checking, alerting, and reporting
  • Centralizes network security device configuration data and discovers configuration errors; monitors firewall rule activity
  • Models threat propagation and simulates network topology changes


Web-based command console for Security Intelligence

  • Delivers actionable insight, focusing security teams on high-probability incidents:Employs rules-based correlation of events, flows, assets, topologies, and vulnerabilities
  • Detects and tracks malicious activity over extended time periods, helping uncover advanced threats often missed by other solutions:Consolidates “big data” security incidents within purpose-built, federated database repository
  • Provides anomaly detection to complement existing perimeter defenses:Calculates identity and application baseline profiles to assess abnormal conditions
  • Provides deep visibility into network, user, and application activity
  • Provides reliable, tamper-proof log storage for forensic investigations and evidentiary use

QRadar embedded intelligence offers automated offense identification

  1. Extensive Data Sources
    1. Security devices
    2. Servers and mainframes
    3. Network and virtual activity
    4. Data activity
    5. Application activity
    6. Configuration information
    7. Vulnerabilities and threats
    8. Users and identities
    9. Global threat intelligence
  2. Correlation
    1. Logs/events
    2. Flows
    3. IP reputation
    4. Geographic location
  3. Activity baselining and anomaly detection
    1. User activity
    2. Database activity
    3. Application activity
    4. Network activity
  4. Offense identification
    1. Credibility
    2. Severity
    3. Relevance

QRadar embedded intelligence directs focus for investigations

Directed forensics investigations

  • Reduce time to resolution:Through intuitive forensic workflow
  • Use intuition more than technical training
  • Determine root cause and prevent recurrences

Benefits of IBM Security Intelligence approach using QRadar

  • Incident Forensics and Response
  • Compliance Reporting
  • Cognitive Security
  • User Behavior Analytics
  • Vulnerability and Risk Management
  • Threat and Anomaly Protection

Providing functional context

To enable security analysts to perform investigations, QRadar SIEM correlates information such as:

  • Point in time
  • Offending users
  • Origins
  • Targets
  • Asset information
  • Vulnerabilities
  • Known threats
  • Behavioral analytics
  • Cognitive analytics

Network flow analytics

  • Provides insight into raw network traffic:Attackers can interfere with logging to erase their tracks, but they cannot cut off the network (flow data)
  • Allows deep packet inspection for Layer 7 flow data:Pivoting, drill-down, and data-mining activities on flow sources allow for advanced detection and forensics
  • Helps to detect anomalies that might otherwise be missed
  • Helps to detect zero-day attacks that have no signature
  • Provides visibility into all attacker communications
  • Uses passive monitoring to build asset profiles and classify hosts
  • Improves network visibility and helps resolve traffic problems

Extensible functional architecture

  1. Cognitive Analytics
    1. QRadar Sense Analytics allows you to inspect events, flows, users, and more
    2. Speed analysis with visuals, query, and auto-discovery across the platform
    3. Augment your analysts’ knowledge and insights with QRadar Advisor with Watson
  2. Open Ecosystem
    1. IBM Security App Exchange provides access to apps from leading security partners
    2. Out-of-the-box integrations for 500+ third-party security products
    3. Open APIs allow for custom integrations and apps
  3. Deep Threat Intelligence and Analysis
    1. IBM X-Force Exchange helps you stay ahead of the latest threats and attacks
    2. Extend investigations to cyber threat analysis with i2 Enterprise Insight Analysis
    3. Powered by the X-Force Research team and 700TB+ of threat data
    4. Share data with a collaborative portal and STIX / TAXII standards


❤ Cyber Security | Safety is a priority.