IBM Security / © 2019 IBM Corporation 1

IBM Security

IBM SecurityQRadar and LGPD

Caroline Fortunato

19 de julho de 2019

Client Technical Professional – Threat Management

IBM Security / © 2019 IBM Corporation

Extend clarity around incidents and risks with in-depth forensics data

Prioritized incidents

EmbeddedIntelligence

IDENTIFICATION

• Data collection, storage, and analysis

• Real-time correlation and threat intelligence

• Automatic asset, service and user discovery and profiling

• Activity baselining and anomaly detection

REMEDIATION

• Incident forensics

• Around-the-clock management, monitoring and protection

• Incident response

EXTENSIVE DATA

SOURCES

IBM QRadar component architecture

IBM QRadar Security Intelligence

IBM QRadar Data Node

IBM QRadar Processor

IBM QRadar Collector

Deployed in the cloud

IBM QRadar Network Insights

IBM QRadar Scanner

IBM QRadar Network Insights

IBM QRadarForensics

IBM QRadarPacket Capture

IBM QRadar Network Insights

IBM QRadar App Node

5

QRadarSecurity Intelligence Platform

DEPLOYMENTMODELS

USE CASES

ANALYTICSENGINE

UNLIMITEDLOGGING

ADVANCEDTHREAT

DETECTION

INSIDERTHREAT

DETECTION

RISK & VULNERABILITY MANAGEMENT

CRITICAL DATA& GDPR

INCIDENT RESPONSE

CLOUDSECURITY

COMPLIANCE

ON PREM AS A SERVICE CLOUD HYBRID

MACHINELEARNING

POWERFULSEARCH

BEHAVIORAL ANALYTICS

ARTIFICIAL INTELLIGENCE

THREATHUNTING

SECURITYANALYTICS

REAL TIME DETECTION & USER DRIVEN ANALYTICS

DATASTORE

ENDPOINTNETWORK INSIGHTSCLOUD

APPLICATIONS IDENTITYVULNERABILITIES

CONFIGURATIONASSETS3RD PARTY DATA STORES

IBM Security App Exchange

COLLABORATION PLATFORMS

X-Force Exchange

AUTOMATION DASHBOARDS VISUALIZATIONS WORKFLOWS REPORTING

QRadar App Framework underlies development and sharing

QRadar API Components

New

Analytics

Reports Data

SourcesNew

Properties

Event

Types GUI

App Assets

Threat

Intell

Rules

Searches

Responses

Behavoral

RulesDashboards

Reference

DataScanning

Incidents

Open APIs for rapid innovation and creation

Insider Threats Internet of Things Incident ResponseCybersecurityUse Cases

§ More flexibility and less complexity§ Economic and operational benefit§ Seamlessly integrated workflow§ Bundled components support new use cases

VALIDATED CONTENT

– Tested, validated content minimizing risk, ensuring consistency and quality

INNOVATION

– New agile capabilities from partners, IBM, Security research and other vendors

DIFFERENTIATION

– Enables service provider and business partner value add and differentiation

SPEED

– Jump start security operations with feature rich extensions and integrations

IBM Security App Exchange

A Platform for Security Intelligence Collaboration

Single collaboration platform for rapidly delivering new apps and content for IBM Security solutions

• Ensure the right to privacy and protection of personal data of users

• Establish clear rules on the processing of personal data

• Promote economic and technological development

• Establish unique and harmonic rules on the processing of personal data

• Promoting competition and free economic activity, including data portability

• Can result in fines of 2% of companies last year revenue

LGDP Regulamentation: What is it?

• The LGPD will regulate any activity that involves the use of personal data, including in digital media, by natural person or legal entity, in the national territory or in countries where the data are located

1. The data processing operation is carried out in the national territory;

2. The purpose of the treatment activity is the provision or supply of goods or services or the processing of data of individuals located in the national territory;

3. The personal data, object of the treatment, have been collected in the national territory.

LGDP Regulamentation: To who does it apply?

• Collecting data from the log sources where personal data can be registered, accessed, transmitted and stored;

• Correlating data to discover if sensitive data and personal data are being stored or transferred for other locations

• Correlating data to find personal data being accessed without users approval or permission

• Managing users that approve their data being stored and used for marketing and other digital merchandise and users that don´t

• Detect exfiltration or exfiltration attempts of personal data

How does QRadar can help?

Example use case: GDPR / LGPD§ Monitor Sensitive data sources§ Detects Users that should be

monitor due to request for data deletion

§ Reference Set to add list of monitored Users

QRadar API Components

Objected Users Internet of Things Incident ResponseGDPR Use Cases

§ Reports that shows users and data sources critical for GDPR and LGPD

§ Dashboards to monitor transactional activity

New

Analytics

Reports Data

SourcesNew

Properties

Event

Types GUI

App Assets

Threat

Intell

Rules

Searches

Responses

Behavoral

RulesDashboards

Reference

DataScanning

Incidents

Enabling greater flexibility and less complexity

IBM App Exchange: GDPR App

App already available in App Exchange IBM

Use Cases LGPD

User data being acessed after user asks for personal data to be deleted

User requests for personal data to be

deleted

Data is deleted from main system and kept

only for compliance

Attendants access data from users in list of

objected users

Offense is triggered

Use case LGPD: Data Being Accessed without users permision

QRadar principles that allow this use case to being met

Data Collection and Normalization

- QRadar Collects data for all log sources

- QRadar normalizes data collector into fields

- QRadar allows field creation and extraction of metadata that would not be parsed natively

Correlation Rules That Trigger and an action

- QRadar allow rules to be tested against data collected and generate offense

- If an rule is triggered, Qradar can start and action (Add a field or more fields to a list, send an email, generate an event and etc.)

Reference Data

- Reference data is a collection of lists that can contain predefined values or values added dynamically by rules

- Reference data can have one or multiples fields (Reference Maps, Refernce Tabel e etc.)

Step 1: User asks to be deleted from database

Logs collected and normalized by QRadar

Custom field extraction

Step 2: Correlational Rule to add user to List

Step 3: Verify if the user was added to the Referense Set

Step 4: Detects Users Accessing Restricted User Data

Step 5: User Executes non Compliant Action and Generates Offense

Demonstration

IBM Security / © 2019 IBM Corporation 20

Use Cases LGPD

What other use cases can you think of?

• Personal Data Exfiltration: Use case already exists in QRadar and would need just some changes

• Personal Data Transmisted outside of country

• Remote Connection to Personal Data Servers

Use Case Examples

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

ibm.com/security/community