McAfee Security Management

Say goodbye to silos that splinter your visibility. McAfee® Security Management solutions make security operations efficient and effective, integrating, automating, and correlating data and processes within each system and across the IT environment. Our open platform offers complete visibility into your security posture, proactive risk analytics, and integration of security and compliance with other business operations. You gain a coordinated and holistic approach to managing security that scales and adapts to any enterprise.

A sea of events. Reams of logs. Alerts galore. With changing threats and fluid business conditions, the IT world is a live situation room awash in information, but distributed across many different physical locations. Each administrator navigates a small portion of the security and compliance universe: mobile devices, endpoints, servers, network, email, web, or database. If they remain isolated, how can they collaborate to diagnose and resolve issues successfully? How can managers work together to prioritize, plan, and execute security projects that enable business agility? How can executives understand and manage overall risk?
Today’s enterprise requires a different approach to security management. It’s no longer simply enough to secure the data center or network perimeter or endpoint. Security needs to be wherever your assets are, connecting to give you visibility across all key business and operational processes. Maintaining security and demonstrating compliance requires harnessing intelligence and reducing friction throughout operations. Once your organization can keep up with change, you can get proactive about managing security and mitigating risk.

1. McAfee Security Management - McAfee Security Management solutions merge security products, management, and real-time intelligence to make your security effective for your business. It starts with deep integration within the system stack and across the IT environment. We add global, contextual visibility into changing events—within and beyond your organization’s boundaries—and connect all your systems with a cross-product command and control core. To enhance situational awareness and support stronger countermeasures, our security management solutions assemble information into evidence, acting to block attacks and reduce vulnerability as risks change. Our solutions also provide crucial operational intelligence, organizing data and placing it in context for at-a-glance visibility across your IT infrastructure and easier proof of compliance. 
2. See the situation - McAfee ePolicy Orchestrator® (McAfee ePO™) software and McAfee Enterprise Security Manager (McAfee ESM) extend visibility and control across your entire security, risk, and compliance management environment, including third-party solutions. Within a system, we connect visibility and protection from the lowest levels of the hardware and hypervisor up to the top of the system and the cloud. By connecting endpoints to networks, mobile devices, and data centers, McAfee Security Management products, including security information event management (SIEM) and vulnerability management, unify your view of events, risk, and threats.
3. Assess what matters - We add intelligence to this integrated environment so you can decide how to protect your most critical assets. Our security management offerings organize ever-changing information about threats and vulnerabilities from McAfee Global Threat Intelligence™, McAfee Risk Advisor, McAfee ePO software, and McAfee ESM. You can see evolving threat, reputation, and vulnerability data correlated to dynamic events, users, systems, and countermeasures within your organization. It’s not just information, it’s wisdom. You can pinpoint network probing and active attacks from known bad actors and immediately shut them down. You can confirm or deny that a breaking threat might affect your most business-critical database by validating that you have relevant patches and behavioral shielding in place.
4. Mitigate damage - Beyond helping you find out what’s happening, we also help you take action. The interlacing of realtime intelligence and risk management processes permits McAfee Security Management solutions to minimize the window of vulnerability and instantly block damaging attacks. Diagnostic services within McAfee ESM work constantly to assess the changing environment and launch automated responses or generate alerts based on risk and event thresholds, asset values, and organizational priorities. We draw your attention to the important events and give you the information to handle it quickly and accurately.
5. Manage all the layers - This integrated, intelligent, active approach creates a security “command and control” core that spans devices, applications, networks, and databases. Deep, actionable integration within each system and across the environment provides a single lens to manage and report on your security state. Built for “Big Security Data,” McAfee solutions reliably handle increasing data volumes from expanding data streams. Not only do you have the horsepower to maintain a state-of-the-art picture of your organization’s risk posture, you also have access to “what if” technology unique to McAfee and click-through access to the details you need. For example, you can show management how the organization can improve its security posture by deploying specific countermeasures, such as white-listing  Integration with our McAfee Security Innovation Alliance partners allows for two-way conduits between security from McAfee and the rest of your IT and security world, supporting more efficient workflows, correlation, analysis, and reporting. You can extract more value from every investment—in products and operational resources.
6. Comply Continuously - From policy creation leveraging standard content protocols to support for the Unified Compliance Framework, McAfee eases the burden of being a regulated business. You can leverage one infrastructure to achieve, monitor, and prove continuous compliance with hundreds of regulations.

Q1 Radar SIEM in Action.

Results of several QRadar financial services deployments
QRadar is used by a large regional bank with over 500 branches in 10 western US states to centralize monitoring of their security infrastructure including firewalls, VPNs, and vulnerability scanners.
QRadar is used enterprise wide by a Fortune 100 Insurance company to centralize log management, protect against emerging network threats, and deliver specific security controls for SOX, GLBA and PCI.
QRadar is used by one of the world’s largest commodity market stock exchanges to implement enterprise-wide log management, centrally manage network threats and implement SOX-related security controls.
A leading financial and payment services company, with more than 3,000 customers, including three of the top 15 banks in the United States, deployed QRadar in just one day. QRadar has kept their entire infrastructure running securely, as well as helping meet compliance mandates for SOX, GLBA, PCI DSS, FFIEC and HIPAA.

Sample Customers
A sample list of Q1 Labs’ installed base of customers in the financial services industry includes ING Direct, Sungard, Zions Bancorporation, North Carolina State Employees Credit Union, S1 Corporation, Liberty Bank, West Coast Bank, La Roche and Co, State Auto Insurance and many others.
The job of delivering an effective IT security program is not trivial for organizations that provide financial services, including banks and insurance companies. The motivation for improving overall IT security comes from many directions, including operational improvement and compliance, but all lead in the same direction: protecting critical infrastructure assets and sensitive customer information.
Historically, enterprises have invested in many point solutions in an attempt to mitigate specific IT risks. Moving forward, organizations need to look at ways to capitalize on their existing investments and integrate the value from the information that these solutions already provide.
QRadar from Q1 Labs provides organizations with features to improve overall IT security and to meet specific regulatory mandates through an integrated approach to network security management, which provides unique and differentiated value in the areas of log management, threat management, and compliance management.

Compliance Management with Q1 Radar SIEM

QRadar brings to financial service organizations the transparency, accountability and measurability critical to the success of meeting regulatory mandates. QRadar’s unique correlation and integration of all surveillance feeds yields more accurate data for an operator (Transparency), more granular forensics for an incident response manager (Accountability), and more complete reporting for auditors (Measurability). Additionally, QRadar ships with thousands of report and rules templates, including specific requirements for SOX, GLBA, FFIEC, DFAS and PCI industry compliance mandates.

QRadar addresses many requirements of SOX, such as (SOX compliance rule indicated):
• SOX requirements (Sec 302 (a)(4)(C) and (D) - log-in/log-out monitoring): User accesses to the system be recorded and monitored for possible abuse.
QRadar provides:
- Out-of-the-box as well as customizable access and authentication rules allow for easy detection of threatening or invalid access attempts
- Deep forensic inspection views into all log data and network communications for monitoring/auditing all activity around an access offense.
- File integrity monitoring and notification through log analysis.
- Backup and Archival of access audit trails.
Protecting against cyber attacks, breaches, fraud and insider threats has heightened the need for financial services organizations looking to ensure compliance and manage costs and valuable personnel by automating resource-intensive security and compliance initiatives (SOX, GLBA, PCI, etc.).
QRadar’s automation of device discovery and data collection reduces time to value and by continuously identifying and profiling assets, both passively and actively, QRadar tunes the security system based on changes in services, vulnerabilities, systems, and identity. This automated updating of your security management results in reduced false positives and provides pinpoint identification of threats, prioritized by relevance, severity, and overall impact.
QRadar’s automation capabilities include:
• Auto Discovery provides constant detection and profiling of new assets (e.g. servers) that should be classified and assessed for regulatory compliance, reducing operational efforts and ensuring accurate threat identification of devices/services impacted.
• QRadar’s appliance based architecture delivers tightly integrated High Availability and, our extensible database is embedded in each appliance, negating the need for external relational databases that are expensive to deploy and maintain
• Hundreds of pre-defined rules that detect prominent threats like bot infections, data leakage, and compliance violations
• Over 3500 predefined reports to provide visibility at all levels of an organization and support financial services compliance initiatives (all rules and reports are provided free to Q1 Labs customers, including regular updates)
• Threat monitoring that includes automatic update of 3rd party threat data sources (including blacklisted networks, application detection, and geo-location data) as well as integration with IAMs to enabling improved recognition and resolution of threats.
With support for approximately 200 products from virtually every leading vendor deployed in financial services networks, including devices from Cisco, Juniper, Nortel, Checkpoint, Oracle, Sun, Enterasys, Symantec, ISS/IBM, McAfee, Sourcefire, RSA, and many more; QRadar provides collection, analysis and correlation across a broad spectrum of systems including networked solutions, security solutions, servers, hosts, operating systems, and applications. In addition, the QRadar solution is easily extended to support proprietary applications and new systems.

How to detects the most complex threats on financial service infrastructures

Leveraging its total visibility across systems, security devices, and the network, QRadar applies industry-leading event correlation, including behavior analysis, and intelligent application of context—network architecture, system profiles, identity information, and 3rd party security intelligence sources— to event data.
QRadar also surveys the organization’s entire network, using native flow sources in a customer’s routing/switching infrastructure or from distributed collectors to gather a detailed history of all network flow activity.

This unique integration of event information and flow activity delivers complete threat context before attacks occur, and comprehensive forensics afterward, to simply, accurately, and thoroughly respond to incidents and assess impact.
Log Management
In addition to in-depth understanding of network security, device configurations, and application behavior, QRadar provides an audit trail for demonstrating compliance, as well as access to historical log data. Log management is an important foundation for SOX compliance, you need to collect, store, and report on your event logs and prove that you have adequate controls in place.
QRadar provides integrated storage, and features to help guarantee the integrity of collected information. In addition to the critical log management capabilities of log collection, storage, and search, QRadar provides advanced leverage of all of the information collected through integrated, real-time event correlation, threat detection, and compliance reporting and auditing.
Threat and Fraud Management
Today’s criminals are not operating out of seedy boiler rooms. They are sophisticated and smart, continuously evolving their methods to keep pace with corporate technology advances and, with a low probability of being caught or prosecuted, the risk-reward scenario for cybercriminals is extremely attractive.
Regardless of the specific type of fraud committed, it is important to understand that fraud can be accomplished through a number of methods including phishing, skimming, hacking into databases and so on. These data breaches are not only serious security and regulatory risks, but the negative publicity that results from compromised data can be devastating for a financial services company. You need to protect the ultimate asset – your customers' trust.
QRadar can detect unauthorized access to systems and data to keep sensitive client information from being hacked, or otherwise compromised from both internal and external sources. To detect more complex cyber threats, QRadar leverages all available network activity data, including information segmented across different network and security solutions and operations teams, to uncover and track suspicious behavior.
QRadar’s broad visibility delivers the requisite surveillance on the network to detect today’s more sinister IT-based threats and deliver a manageable set of prioritized security threats along with the information necessary to remediate the situation. To quickly identify internal misuse, QRadar can integrate with a customer’s Identity and Access Management (IAM) solution, and analyze these data sources to develop a comprehensive picture of an asset’s user identity and behavior as well as vulnerability state, which is not available through IAM solutions alone.
Many financial services institutions have fraud detection capabilities in place for certain applications or sectors of their business. The overarching value of QRadar is it’s ability to tie intelligence from these solutions to the broader set of data collected from the entire enterprise infrastructure. Presenting a more complete picture for security professionals and reducing operational complexity.

Q1 Radar SIEM For Financial Services Organizations

Through an integrated and heterogeneous approach to security intelligence, QRadar provides security monitoring and compliance validation, enhanced by intelligent real-time analysis of behavior, providing financial organizations with profiles of the behavior of systems, applications and users over their organization’s entire network.

Q1 Labs financial services customers use QRadar to solve their network security management challenges of:

1. Log aggregation and analysis across many security technologies and vendors
2. Threat monitoring and incident response for Internal and external threat management, including information assurance and insider threat monitoring
3. Compliance auditing, reporting, and validation initiatives driven by GLBA, SOX, PCI DSS, etc.
4. QRadar has successfully addressed these challenges for financial organizations by offering the most intelligent, integrated and automated security management solution in the industry.
5. Intelligent: With more data under surveillance and advanced analytic techniques, QRadar detects threats that others miss; providing unparalleled visibility into network and application activity that others cannot.
6. Integrated: Correlating information from security logs, network flow analysis, the application layer, IAM solutions, and asset-based vulnerability assessment in one, comprehensive management solution.
7. Automated: Simple to deploy and manage, QRadar automates security and network device discovery as well as policy functions. 

QRadar’s appliance-based architecture and embedded database removes the crushing complexity and costs that cripple the deployment and ongoing support of traditional SIEM and log management solutions.
Q1 Labs’ QRadar security information and event management (SIEM) solution is purpose built to integrate log management with SIEM in one solution, delivering massive log management scale without any compromise on SIEM “Intelligence”.
As a result, product acquisition, deployment, and operational costs are a fraction of alternative ‘point product’ solutions.

SIEM for the Financial Industry

Financial organizations are the principal targets for hackers, organized crime, and cybercriminals - and the increased sophistication and sheer numbers of their attacks have repeatedly demonstrated their ability to find and exploit vulnerabilities. As a result, even the best-defended networks continue to be penetrated. Not only are these organizations on the front lines in the battle against computer security, they are members of one the most heavily regulated industries in existence.

Organizations that provide financial services, including banks and insurance companies, face a significant challenge in securing their client’s financial information and to meet both internal and regulatory requirements.
Specific challenges faced by financial institutions include:

1. Information Overload - Network and security teams are overwhelmed collecting and analyzing millions of daily network and security logs – resulting in missed threats, data theft, and unreasonable operational expenses.
2. Compliance Audits - Enforcing internal security policies and meeting audit and regulatory requirements for existing and emerging regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), The Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry Data Security Standard (PCI DSS) and Defense Finance and Accounting Service (DFAS). Monetary costs for privacy and security breaches go beyond the compliance penalties, to include card reissue costs for a banking institution breach.
3. Cyber Threats - Protecting financial service infrastructures, including customer account information, from both insider threats and emerging complex threats, is an overwhelming task for network and security teams.

The Business Value of Log Management Software - part 4

Start here, Part 2, Part 3

4. Risk Assessment and Management

Security intelligence provides the backbone for risk management through impact analysis and threat modeling. It is the difference between reacting to attacks on the network and proactively protecting your most important assets.

Impact analysis is based on the value an enterprise assigns to a particular asset and negative consequences to the business if it is compromised. Security intelligence addresses this by asset and data discovery and classification to identify critical assets. Further, it answers questions such as: How exposed is the asset? Does it have direct access to the Internet? Does it have known vulnerability for which there are known exploits? 

Threat modeling takes all these factors into account and more¸ identifying not only vulnerabilities on the target system, but possible attack paths based on exploiting weaknesses between the target and the Internet -- poorly designed firewall rules, badly configured router ACLs, etc.

5.Regulatory Compliance

Compliance is a foundational use case for security intelligence. It addresses many compliance requirements, particularly all aspects of security monitoring. So, for example, security intelligence doesn't meet all your PCI requirements, but it does meet all you PCI monitoring requirements in a way that SIEM and log management alone cannot. Security intelligence provides the data that serves as a foundation to deliver and demonstrate audit requirements for all regulations.

By monitoring broadly across IT infrastructure – events, configuration changes, network activity, applications, user activity, security intelligence consolidates compliance capabilities in a single product suite, rather than relying on multiple point products, each delivering its own piece of the audit puzzle.

Conclusion.

Security intelligence, like business intelligence, enables organizations to make smarter business decisions. It enables organizations to process more information, more efficiently across the entire IT infrastructure. Applying business intelligence technology literally enables organizations to do more with less: Instead of having analysts devote expensive hours manually poring through a fraction of the available data, business intelligence automates analysis across all available data and delivers role-based information specific to the task.

Information technology is after all, about automating business processing –for purchasing, logistics, ERP, etc. Security intelligence is about automating security: understanding risk, monitoring the infrastructure for threats and vulnerabilities, and prioritizing remediation.

By centralizing security tools and data from the IT infrastructure, security intelligence enables consolidated management and more efficient use of resources devoted to security. Organizations improve their security posture without additional operational and personnel costs and the expense of purchasing, maintaining and integrating multiple point products.

Security intelligence yields key benefits in business cost and efficiency:

• Reduces cost associated with deployment and operation. Rather than add people, you free them to make security relevant to the business. 
• Makes product acquisition simpler and cheaper. Enterprises purchase a single platform, rather than multiple products. 
• Facilitates deployment through a unified platform rather than multiple products, which have to be integrated to even approach an acceptable security intelligence capability. 
• Gives a broad class of organizations security capabilities that were formerly possible only for the most sophisticated enterprises. 
• Automates the collection, normalization and analysis of massive amounts of security data from technical and organizational silos. This capability applies rich context to every analysis. 
• Enhances threat detection, applying context to detect possible attacks that might go unnoticed by a particular security technology. 
• Improves incident response through accurate and quick detection. 
• Realizes staffing ROI. Organizations can implement new security services, such as world-wide threat monitoring, without additional manpower.
• Empowers enterprises to run highly robust security programs, processing billions of records daily and producing a score or so of high-priority action items every 24 hours.

Forward-thinking organizations have recognized and embraced the value of business intelligence technology, as their success is predicated on the ability to analyze and act upon the essential information derived from staggering volumes of data. Similarly, security intelligence is essential because information security is integral to doing business in the 21st century. Powerful, automated analytic of centralized data from sources that cover the entire spectrum of the IT infrastructure make a high level of cost-effective security not only possible, but indispensable.

The Business Value of Log Management Software - part 3

Start here, Part 2

3. Fraud Discovery

Security intelligence is absolutely essential for effective fraud detection. The key ingredient, in addition to network telemetry, data from the switching and routing fabric, and the security device enforcement layer is an understanding of the users and the application data.

Fraud detection requires monitoring of everything that goes on across the network: network activity and events, host and application activity, and individual user activity. Security intelligence allows you to bind the user to a particular asset, By tying together network, DNS server and application activity with directory information, for example, security intelligence can tie a specific user, to a specific IP address for a specific VPN session.

The Business Value of Log Management Software - part 2

Start here

2. Threat Detection

In a few short years, as enterprises have opened themselves to Internet-based commerce and remote users, security has moved from a perimeter-based model with all policy centered on the firewall to distributed security. Security is now focused on hosts, applications and the content of information moving out of the organization.

Moreover, we’re seeing growing incidence of highly targeted attacks, such as the attacks on NASDAQ and other high-profile companies. Sophisticated, targeted intrusions are typically multi-staged and multifaceted, difficult to detect and very difficult to eradicate; advanced persistent threats (APT) are characterized by the tenacity of the attackers and resources at their disposal.

An over-arching intelligence should be applied to the diverse security technologies that have been developed in response to the evolving threat landscape. As noted in the discussion of security context, an activity that appears innocuous to one part of an infrastructure may be revealed as a threat when that data is correlated with other sources. So, for example, an attacker may disable logging, but can’t shut down network activity. Proprietary applications may not produce logs; some parts of the network may be without firewalls. Security intelligence can still identify the applications and services running between that host and the network in these cases and flag a potential threat.

The Business Value of Log Management Software

One of the most compelling arguments for security intelligence is operational effi ciency: better use of people, time and infrastructure. It’s the ability to incorporate several security and network technologies into an integrated system rather than products operating independently.
The focus on security intelligence is particularly relevant as operational responsibility for security is increasingly being placed in the hands of the network operations teams. It makes sense to mirror this consolidation of operational responsibilities with consolidation at the intelligence layer. Think in terms of enabling multiple tasks in single platform and cross-functional development of skills across the organization, then to deploy access based on roles.

Further, security intelligence adds value in other areas of IT, such as troubleshooting system problems, network issues, and user support and authorization analysis.
Security intelligence enables organizations to use integrated tools across a common framework, and leverage a unified data set to address problems along the entire security spectrum. This can be illustrated in five of the most prominent use cases in which security intelligence provides high value.

1. Consolidating Data Silos

Without automated technology, business intelligence analytic are difficult to execute. The data to enable you to understand inventory returns, supply chains, etc., is available, but is siloed in different applications and databases. It falls upon the analyst to compile data from all those sources and pour them into spreadsheets or databases to perform manual analysis. Security analysis poses similar problems, and security intelligence provides similar inefficiencies. From a security perspective, data can exist in three types of silos:

1. Data locked up in disparate security devices, applications and databases
2. Data that’s collected from point products, applications, etc., creating, in effect, yet another silo. It’s another database where that data is stored, but there’s no communication, no coordination between, for example, your configuration database
3. Organizational silos of data segregated by business unit, operations group, department, etc.

In the first two cases, security intelligence breaks down the silos by integrating data feeds from disparate products into a common framework for automated analysis across different security and IT technologies. From a security perspective, this brings in all the enhanced detection and risk assessment capabilities the consolidated telemetry of security intelligence can deliver. From a CIO perspective, the reduction of these silos enables the rationalization of security products that would otherwise have to be managed on a point product basis. The third case requires considerable cooperation among groups that are typically separated, meaning a realigning of processes and responsibilities, and perhaps, some pressure exerted by management.

The crushing cumulative volume of all this disparate data exacerbates the problem exponentially. Each of these silos can create enormous volumes of data, in different formats, for different purposes and, in some cases, different policies, and even compliance requirements. Only automated security intelligence can effectively manage petabytes of security-related data and analyze it across organizational and operational silos.

Moving Beyond Log Management and SIEM

The concept of security intelligence is partially realized in security information and event management (SIEM) tools, which correlate and analyze aggregated and normalized log data. Log management tools centralize and automate the query process, but lack the flexibility, and sophisticated correlation and analysis capabilities of SIEM and, ultimately, security intelligence.
But SIEM should be regarded as a way point rather than a destination. The end goal is comprehensive security intelligence. SIEM is very strong from an event management perspective and plays a particularly important role in threat detection. Comprehensive security intelligence must encompass and analyze a far broader range of information: it requires continuous monitoring of all relevant data sources across the IT infrastructure and evaluating information in contexts that extend beyond typical SIEM capabilities.

Security intelligence should include a much broader range of data, leveraging the full context in which systems are operating. That context includes, but is not limited to: security and network device logs; vulnerabilities; configuration data; network traffic telemetry; application events and activities; user identities; assets, geo-location and application content.
This produces a staggering amount of data. Security intelligence provides great value in leveraging that data to establish very specific context around each potential area of concern and executes sophisticated analytic to accurately detect more and different types of threats.

For example, a potential exploit of a Web server reported by an IDS can be validated by detection of unusual outbound network activity detected by network behavioral anomaly detection (NBAD) capability, and vice-versa.

Or, you have a report that a server has a potential vulnerability that has just been disclosed. But it’s one of hundreds in your organization, so how do you evaluate the threat for this particular server? Security intelligence can analyze all available data and tell you:

1. The presence or absence of the vulnerability;
2. The value the organization assigns to the asset and/or data;
3. The likelihood of exploit based on attack path threat models;
4. Configuration information, which may indicate, for example, that the server is not accessible because a default setting has been changed;
5. The presence of protective controls, such as an IPS;

Or, consider the insider threat. The 250,000 diplomatic cables given to WikiLeaks were obtained by a user, Pfc. Manning, who was acting within his authorized privileges. Chances are any given security mechanism would fail to detect this kind of action, but analysis of correlated data, applying contexts from multiple sources, may have stopped the leak before it could cause damage.

Log Management Solutions

Security intelligence, built on the same concepts that have made business intelligence an essential enterprise technology, is the critical next step for organizations that recognize the importance of information security to their business health.

Too often, the response to new security threats is a “finger in the dam” approach with a particular point technology or reactive new policies or rules.

This is in large part because a unified security program, based on automated analysis of unified information from across the IT infrastructure, is costly, complex, difficult to implement and inefficient. As a result, most organizations lack accurate threat detection and informed risk management capabilities.

In this series of posts, you will learn how security intelligence addresses these shortcomings and empowers organizations from Fortune Five companies to mid-sized enterprises to government agencies to maintain comprehensive and cost-effective information security. In particular, we will show how security intelligence enables critical concerns in five key areas:

1. Data silo consolidation
2. Threat detection
3. Fraud discovery
4. Risk assessment and management
5. Regulatory compliance

Why Security Intelligence?

High-performance enterprises excel in business in large part because they know how to put their information to work. Aided by the automated use of business intelligence technology, they apply analytic to extract maximum value from the massive amounts of data available to them.

The same approach should be applied to securing that information by implementing a security intelligence program. Just as business intelligence helps enterprises make decisions that maximize opportunities and minimize business risks, security intelligence enables them to better detect threats, identify security risks and areas of noncompliance, and set priorities for remediation.

The case for business intelligence is compelling. It enables organizations to support their critical decision-making by automating the data analysis processes at a level that manual analysis can scarcely approach. By applying computer-based business analytic to their unique environments, successful organizations derive the greatest possible value from their amassed terabytes and petabytes of data, from sales revenue and customer demographics to the cost of shipping and raw materials.

The case for security intelligence is equally, if not more, compelling. Enterprises and government organizations have vast quantities of data that can help detect threats and areas of high risk, if they have the means and the commitment to collect, aggregate and, most importantly, analyze it. This data comes not only from point security products, but also from sources such as network device configurations, servers, network traffic telemetry, applications, and end users and their activities.

Security intelligence reduces risk, facilitates compliance, shows demonstrable ROI and maximizes investment in existing security technologies. By analogy to business intelligence, the goals of security intelligence are to:

• Distill large amounts of information into an efficient decision-making process, reducing a billion pieces of data to a handful of action items.
• Operationalize data collection and analysis through automation and ease of use.
• Deliver high-value applications that help organizations derive the most benefit from their data to understand and control risk, detect problems and prioritize remediation.
• Validate that you have the right policies in place.
• Assure that the controls you have implemented are effectively enforcing those policies.

Organizations have a long way to go in understanding their IT security environment. Consider a 2010 survey by CSO magazine, sponsored by Deloitte, which reported that seven in 10 security incidents are never reported. According to Deloitte, indications are that in most cases the victim organizations are not even aware they have been compromised.

Q1 RADAR Log Manager

QRadar SIEM excels at collecting, correlating and reporting on diverse activity. In this demo, we look at how the integration of identity and access management data enables real-time user activity monitoring. You'll see how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.