Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.

1. © 2015 IBM Corporation
Building a Next-Generation
Security Operation Center
Based on IBM QRadar and
Security Intelligence
Concepts
Chris Meenan, IBM Security
Vincent Laurens, Sogeti

2. Overview
1
• Cybersecurity threat environment and main challenges
• The true story behind all this
• What is a Security Operations Center (SOC)
• Introducing QRadar and how it can address pragmatic challenges
• Real-life examples and lessons learned

3. It is insane…
Source: IBM X-Force® Research 2013 Trend and Risk Report

4. Main challenges for a SOC
3
Smooth integration
with Processes and
Business
Addressing
compliance from
multiple angles
Lack of Skills within
the Organization
Being able to provide our customers
answers they needs.
Solving, in a high-quality manner, the
challenges they have to face.
Diversity and scale
of data to correlate
Cost effectiveness
SOC Challenges Chain
All these factors MUST become part of the IT comfort zone! Not as straightforward as it
seems!

5. What is a SOC ?
4
Performing Security Monitoring
of IT systems, of industrial systems and data
Scanning,
vulnerability
assessment
SIEM
Malware defense
– sandboxing -
Security
Analytics
BIG
DATA
GRC …Patch Management …CMDB
Systems and services integration
Managed services
SOCaaS (multi-tenant)
Central Command Centers!
Security Operation Centers are indeed…

6. Why QRadar Helps

7. Security Operations can drown in systems
• “HiFi Separates” approach has a
situation where enterprises have
dozens of individual security tools
• Security teams struggle
• Lack of skills
• Become stove piped themselves
• Overly dependant on a single tool
which has limited visibility and
accuracy

8. IBM QRadar Security SIEM
Providing actionable intelligence
IBM QRadar
Security Intelligence
Platform
AUTOMATED
Driving simplicity and
accelerating time-to-value
INTEGRATED
Unified architecture
delivered in a single console
INTELLIGENT
Correlation, analysis and
massive data reduction

9. Embedded intelligence offers automated offense
identification
INTELLIGENT
Suspected
IncidentsServers and mainframes
Data activity
Network and virtual activity
Application activity
Configuration information
Security devices
Users and identities
Vulnerabilities and threats
Global threat intelligence
Automated
Offense
Identification
• Unlimited data collection,
storage and analysis
• Built in data classification
• Automatic asset, service and
user discovery and profiling
• Real-time correlation
and threat intelligence
• Activity baselining
and anomaly detection
• Detects incidents
of the box
Embedded
Intelligence
Prioritized Incidents

10. Answering questions to help prevent and remediate
attacks

11. An integrated, unified architecture in a single
web-based console
Log
Management
Security
Intelligence
Network
Activity
Monitoring
Risk
Management
Vulnerability
Management
Network
Forensics

12. Use cases
11

13. Example 1
SOC for a major Financial Institution internal IT company
 Migration from a log correlation engine to a QRadar-based
Security analytics plateform
 Strong compliance riquirement
Fully-integrated services
 Dedicated reporting
 Large coverage of the infrastructure
 Integration of business elements
 Full Process integration
 Targetted KPIs
Lessons Learned
 A real project approach is needed
 Use QRadar suite out-of-the-box capabilities
 Define compliance steps from starts and align with Business and
Risks departments
Monitoring & Analytics
Reporting to Business

14. Example 2
13
SOC for a major Assurance company in Luxembourg
 The word “SIEM” was totally new for them
 Complete end-to-end approach based on a maturity analysis
Specific needs
 3 Levels of reporting from the SOC: Technies, Security, Business
 Cost effectiveness requirements
 Assistance to create and maintain a Security Incident Management
Process
 Particular threat environement
 Mainframe-based core business-app
Lessons Learned
 Yes! Specific threat environment exist for Assurance companies
 Parallelize scenarios-construction tasks and deployment tasks
 Involve compliance officer from start
International Compliance
Specific Reporting

15. Example 3
14
Client Situation :
 Lack of any SOC model and strategy roadmap
 There were no trained SOC Operations team or staff
 No Security monitoring tool or processes for security incidents
IBM Solution :
 Global Installation of the QRadar monitoring tool
 Archer Ticketing System implementation (security tickets)
 Designed the SOC Organization, Process, People Model
 SOC Capacity Modeling
 Hired and Trained the client’s SOC Staff (~12 resources)
 Implemented SOC Operational Reporting and Executive Dashboards
Client Benefits:
 Reduced risks & costs associated with security incidents and data breaches
 Addressed compliance issues by establishing clear audit trails for incident
response
 Improved security posture with enterprise-wide security intelligence
correlating events from IT & business critical systems/applications.
Profile:
Largest Bank in Canada, 3rd
largest in North America, top 10
globally. The bank serves 18
million clients and has 80,100
employees worldwide.

16. Summary
15

17. Driving simplicity and accelerated time to value
QRadar’s ease-of-use in set-up and maintenance
resulted in reduced time to resolve network issues
and freed-up IT staff for other projects.
Private U.S. University
with large online education community
Immediate
discovery
of network assets
Proactive vulnerability
scans, configuration
comparisons, and policy
compliance checks
Simplified
deployment
Automated configuration
of log data sources
and asset databases
Automated
updates
Stay current
with latest threats,
vulnerabilities,
and protocols
Out-of-the-box
rules and reports
Immediate time
to value with built-in
intelligence
IBM QRadar is nearly three times
faster to implement across the
enterprise than other SIEM solutions.
2014 Ponemon Institute, LLC
Independent Research Report

18. QRadar, Managed SIEM and SOC Consulting
17
SOC Optimization
• Security operations maturity
assessment
• SOC strategy and planning
• SOC design and build
• SOC optimization
Want to learn more? Don’t miss the following InterConnect sessions:
SIEM Workshop – Discussion on
Use Case Development and Problem
Solving (Session #4933). Tue 11AM,
Mandalay Bay, Ballroom D
Making Strategic Decisions – What is
the most effective Security Operations
model for you? (Session #4896). Wed
11AM, Mandalay Bay, Lagoon E
Building Intelligent Next Generation
Security Operations Center – How do
I get there? (Session #5198). Wed
3:30PM, Mandalay Bay, Lagoon E
SIEM Optimization
• SIEM design and build
• Use case design / log
acquisition
• SIEM implementation
• SIEM optimization
SIEM Management
• Real-time threat monitoring,
incident escalation and response
• SIEM administrative support
• SIEM infrastructure management
• Incident analysis and reporting
Augment and
optimize staff
resources
Detect threats others miss with IBM QRadar and Managed SIEM
More quickly
identify and
remediate events
Gain access to
best practice
design expertise
Help reduce
costs and
complexity
IBM Security can help maximize your QRadar investment with
SOC and SIEM design, optimization, management and monitoring

19. Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.

20. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

21. Thank You
Your Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.