week1-4.pdf

Full Transcript

Week1
Purposes/ performs of QRadar SIEM
- Alerts to suspect ac:vi:es and policy breaches in the IT environment
- Provides deep visibility into network, user, and applica:on ac:vity
- Provides repor:ng templates to meet opera:onal and compliance requirements
- Provides reliable, tamper-proof log storage
- Puts security-relevant data from various sources in context of each other
In the IBM Security Framework, QRadar SIEM provides:
- Security Intelligence, Analy:cs and Governance, Risk Management and Compliance
(GRC)
- Insight into all domains of the IBM Security Framework
QRadar SIEM helps answer the following key ques0ons:
- What is being aPacked?
- What is the security impact?
- Who is aPacking?
- Where to inves:gate?
- When are the aPacks taking place?
- Is the suspected aPack or policy breach real or a false alarm?

Providing context
To enable security analysts to perform inves0ga0ons, QRadar SIEM correlates informa0on
such as these examples:
- Point in :me
- abuse users
- Origins
- Targets
- Vulnerabili:es
- Asset informa:on
- Known threats

QRadar SIEM capabili0es
- QRadar SIEM processes security-relevant data from a wide of sources, ex:
o Firewalls / User directories / Proxies / Applica:ons / Routers
- Collec:on, normaliza:on, correla:on and secure storage of raw events, network
flows, vulnerabili:es, assets, and threat intelligence data
- Layer 7 payload capture up to a configurable number of bytes from unencrypted
traffic
- overall search capabili:es
- Monitor host and network behavior changes that could indicate aPack or policy
breach
- No:fica:on by email or SNMP
- Many generic repor:ng templates included
- Scalable architecture to support large deployments
- Single user interface
Week2
Maturity categories of integra:on
- Basic: Organiza:ons employ perimeter protec:on, which regulates access and feeds
manual repor:ng (very reac:ve in nature.)
o Iden:ty and Access Management – Centralized directory
o Data Security – Encryp:on, Access control
o Applica:on Security – Applica:on scanning
o Protec:on – Perimeter security
- Proficient: implement security in depth, layered into the IT fabric and business
opera:ons
o Iden:ty and Access Management – User provide, Access mgmt, Strong
authen:ca:on
o Data Security – Access monitoring, prevent Data loss
o Applica:on Security – Applica:on firewall, Source code scanning
o Protec:on – Virtual security, Asset mgmt, Endpoint, network security
management
- Op0mized: Organiza:ons use predic:ve and automated security analy:cs to drive to
security intelligence
o Iden:ty and Access Management – Role-based analy:cs, Iden:ty governance,
special user controls
o Data Security – Data flow analy:cs, Data governance
o Applica:on Security – Secure app engineering processes, Fraud detec:on
o Protec:on – Advanced network monitoring, Forensics, Secure system
Threat landscape drives Security Intelligence strategy
1. Escala0ng aDacks
o Increasing advanced aPack methods include social engineering, spear
phishing, watering holes
o Disappearing perimeters mean you cannot rely on network-based protec:on
alone
o Privileged access methods (stolen creden:als) used in aPacks require you to
monitor your valuable assets more closely
o Ex, Designer Malware, Spear Phishing, Persistence, Backdoors
2. Increasing complexity
o Constantly changing infrastructure
o Too many security products from mul:ple vendors; costly to configure and
manage; no correla:on of events; no centralized repor:ng
o inenough and ineffec:ve tools
o Sophis:cated aPack methods can only be detected by combining events from
infrastructure (network, servers, endpoints), iden:ty, applica:ons, databases
3. Resource constraints
o Struggling security teams
o Too much data from point products with limited manpower and skills to
manage it all make it almost impossible to realize aPack connec:on
o Increasing compliance requests need to be managed and monitored
Apply Big Data to Security Intelligence and threat management:
Collec:on, storage, and processing / Analy:cs and workflow / Global intelligence
A dynamic, integrated system to help detect and stop advanced threats
- Prevent
- Detect
- Respond
ADack Chain
o Break-in
o Latch-on
o Expand
o Gather
o Exfiltrate
Detect and stop advanced threats
Best prac:ces: Intelligent detec0on
1. Predict and priori0ze security weaknesses:
o Gather threat intelligence informa:on
o Manage vulnerabili:es and risks
o increase vulnerability scan data with context
o Manage device configura:ons (firewalls, switches, routers)
2. Detect devia0ons to iden0fy malicious ac0vity:
o Establish baseline behaviors
o Monitor and inves:gate anomalies
o Monitor network flows
3. React in real-0me to exploits:
o connect logs, events, network flows, iden::es, assets, vulnerabili:es,
configura:ons, and add context
o Use automated solu:ons to make data ac:onable by exis:ng staff
What is Security Intelligence?
- The real-:me collec:on, normaliza:on and analy:cs of the data generated by users,
applica:ons, and infrastructure that impacts the IT security and risk posture of
enterprise
- Security Intelligence provides ac:onable and comprehensive insight for managing
risks and threats from protec:on and detec:on through remedia:on

IBM Security QRadar
- Vulnerability manager
- Risk manager
- SIEM
- Log manager
- Incident forensics
IBM Security QRadar SIEM
Web-based command console for Security Intelligence
- Delivers ac:onable insight focusing security teams on high-probability incidents
- Employs rules-based correla:on of events, flows, assets, topologies, vulnerabili:es
- Detects and tracks malicious ac:vity over extended :me periods
- Consolidates “big data” security incidents in purpose-built, federated database
repository
- Provides anomaly detec:on to complement exis:ng perimeter defenses
- Calculates iden:ty and applica:on baseline profiles to assess abnormal condi:ons
IBM Security QRadar Vulnerability Manager
Scan, assess, and remediate vulnerabili:es
- Contains embedded, well proven, scalable, analyst recognized, PCI-cer:fied scanner
- Detects 70,000+ vulnerabili:es
- Tracks Na:onal Vulnerability Database (CVE)
- Present in all QRadar log and flow collectors and processors
- Integrates with IBM Security Endpoint Manager (BigFix) to reveal which
vulnerabili:es will be patched and when
- Leverages QRadar Risk Manager to report which vulnerabili:es are blocked by your
IPS and FW
- Uses QFlow report if a vulnerable applica:on is ac:ve
- Presents a priori:zed list of vulnerabili:es you should deal with as soon as possible
IBM Security QRadar Risk Manager
Scan, assess, and remediate risks
- Network topology model (security device) enables visuals ac:on and network traffic
- Correlates network topology, asset vulnerabili:es and configura:on, and actual
network traffic to select and priori:ze risk
- Improved compliance monitoring and repor:ng
- Network device op:miza:on and configura:on monitoring
- Models threat spread and simulates network topology changes
IBM Security QRadar Incident Forensics
Intui:ve inves:ga:on of security incidents
- Reduces incident inves:ga:on periods from days or hours to minutes
- Employs Internet search engine technology to close security team skill gaps
- collects evidence against malicious en::es breaching secure systems and dele:ng or
stealing sensi:ve data
- Creates rich “digital impression” visualiza:ons of related content
- Helps determine root cause of successful breaches to prevent or reduce recurrences
- Adds full packet captures to complement SIEM security data collec:on and analy:cs
From NetFlow to QFlow to QRadar Incident Forensics
- NeSlow: packet oriented, iden:fies unidirec:onal sequences sharing source and
des:na:on IPs, ports, and type of service
- QFlow: packet oriented, iden:fies bidirec:onal sequences aggregated into sessions,
also iden:fies applica:ons by capturing the beginning of a flow
- Compe00ve solu0ons: some only capture a subset of each flow and index only the
metadata—not the payload
- QRadar Incident Forensics: captures all packets in a flow indexing the metadata and
payload to enable fast search-driven data explora:on
Embedded intelligence of QRadar directs focus for inves:ga:ons:
- Rapidly reduce :me to resolu:on through intui:ve forensic workflow
- Use intui:on more than technical training
- Determine root cause and prevent recurrences
Benefits of IBM Security Intelligence approach
- Holis:c IT security management and integra:on with infrastructure and processes
o Use tools and solu:ons that know how to communicate with each other
o Integrate with centralized vulnerability management
- Pro-ac:ve IT security management
 o Detect and counteract the threat before the actual exploit
- Network flow analysis and forensics
o Collect data that no aPacker can obfuscate (network flow) and store
applica:on data for more detailed forensic inves:ga:ons
- Risk assessment support through network topology awareness in combina:on with
vulnerability informa:on
o Inves:gate poten:al risks due to network topology and vulnerabili:es
o Focus on the “important and valuable” assets that need protec:on and do
not flood the Security Intelligence system with useless data
Repor:ng in QRadar
QRadar SIEM report is a means of scheduling and automa:ng one or more saved searches
- QRadar SIEM reports perform the following tasks
o Present measurements and sta:s:cs derived from events, flows, and offenses
o Provide users the ability to create custom reports
o Can brand reports and distribute them
- Predefined report templates serve a many of purposes
o Regulatory compliance
o Authen:ca:on ac:vity
o Opera:onal status
o Network status
o Execu:ve summaries
- Regulatory coverage
o COBIT: Control Objec:ves for Informa:on and Related Technology
o PCI: Visa Payment Card Industry Data Security Standard
o FISMA: Federal Informa:on Security Management Act
o NERC: The North American Electric Reliability Council
o GSX: Government Secure Extranet
What is an architecture?
- Architecture is the overall environment in which the system will operate
- Lays out all the elements of the IT system and their rela:onships
- Describes the fundamental concepts or proper:es of the IT system, does not have to
cover everything
1. TOGAF (The Open Group Architectural Framework)
covers the development of four related types of architecture (not security
focused); these four types of architecture are commonly accepted as subsets of
an overall enterprise architecture, all which TOGAF is designed to support
§ Business Architecture
§ Data Architecture
§ Applica:on Architecture
§ Technology Architecture
2. O-ESA (Open Enterprise Security Architecture)
a policy-driven security architecture that places this architecture in the context of
a larger enterprise security program and describes the major elements of an ESA
§ Program Management
§ Governance
§ Architecture
§ Opera:ons
Week3
Normalizing raw events
- Event is a record from a device that describes an ac:on on a network or host.
- QRadar SIEM normalizes the varied informa:on found in raw events:
o Normalizing means to map informa:on to common field names,ex:
§ SRC_IP, Source, IP, and others are normalized to Source IP.
§ user_name, username, login, and others are normalized to User.
o Normalized Events are mapped to high-level and low-level categories to
facilitate further processing.
- Amer raw events are normalized, it is easy to search, report, and cross-correlate these
normalized events.
Event collec:on and processing
- Log Sources typically send syslog messages, but they can use other protocols also.
- Event Collectors receive raw events as log messages from a wide variety of external
log sources.
§ gathers events from local and remote sources. The event
§ normalizes events and classifies them into low- and high-level
categories.
§ bundles virtually iden:cal events to conserve system usage
o Device Support Modules (DSMs) in the event collectors parse and normalize
raw events. Raw log messages remain intact.
- Event Processors receive the normalized events and raw events to analyze and store
them.
o processes events from the event collectors and flow data.
o correlate the informa:on.
o examines informa:on gathered by QRadar SIEM to indicate behavioral
changes or policy viola:ons.
o Rules are applied to the events to search for anomalies.
- Magistrate correlates data from event processors and creates offenses.
Flow collec:on and processing
- A flow is a communica:on session between two hosts.
- QFlow Collectors
o read packets from the wire or receive flows from other devices.
o convert all gathered network data to flow records similar normalized events.
include such details as when, who, how much, protocols, and op:ons.
Asset profiles
- keep asset profiles for systems in the network. The profiles track host details. ex:
o IP addresses
o Services listening on open ports
o Vulnerabili:es
Ac:ve scanners
- Vulnerability assessment (VA) and maintaining asset profiles, QRadar SIEM
integrates with many ac:ve scanners:
o You can schedule Nessus, Nmap, and IBM Security QRadar Vulnerability
Manager scanner directly in QRadar SIEM.
o For other scanners, you schedule only the collec:on of scan results in QRadar
SIEM but not the scan itself.
 QRadar Vulnerability Manager scanner benefits
- Ac:ve scanner present on all QRadar event and flow collectors and processors
- Detects 70,000+ vulnerabili:es
- Processes results from IBM-hosted scanner to see a view from outside your firewall
- Tracks Common Vulnerabili:es and Exposures (CVE)
- Third party vulnerability data feeds

Gathering asset informa:on

Ac0ve scanners Passive detec0on
QRadar Vulnerability Manager scanner, Nessus, Flows from QFlow, or other flow sources in
Nmap, Qualys accoun:ng technologies such as IPFIX/NetFlow,
Provide sFlow
List of hosts with risks and poten:al Provide
vulnerabili:es IP addresses in use
IP and MAC addresses Open ports in use
Open ports Pros
Services and versions Real-:me asset profile updates
Opera:ng system Firewalls have no impact
Pros End system cannot hide
Detailed host informa:on Policy and compliance informa:on
Policy and compliance informa:on Cons
Cons Not as detailed as ac:ve scans
Out of date quickly Does not detect installed but unused
Full network scans can take weeks. services or ports
Ac:ve scanners cannot scan past firewalls
User can hide from ac:ve scans
Week4
QRadar SIEM logical components and data flow
- Central User Console
o Magistrate (manages offense crea:on and magnitude)
o Global correla:on across flow and event processors
o Offense management
o Asset and iden:ty management
- Event Processor
o Rule Processor
o Storage for events, accumulated meta data
o Storage for flows, accumulated meta data
- Event Collector
o Log event collec:on, coalescing, and normaliza:on
o Third-party flow collec:on such as NetFlow, sFlow, J-Flow, deduplica:on, and
recombina:on
- Flow Collector (QFlow and Superflow crea:on, and applica:on detec:on)
High-level architecture
- Flow and event data is stored in the Ariel database on the Event Processors
o If accumula:on is required, accumulated data is stored in the Ariel accumula:on
database
o As soon as data is stored, it cannot be changed (tamper proof)
- Offenses, assets, and iden:ty informa:on are stored in the master PostgreSQL
database on the Console
o Provides one master database with copies on each processor for backup and
automa:c restore
- Support Secure SSH communica:on between appliances in a distributed
environment
Methods of determining Applica0on detec0on (flow)
- User defined
o This method is mainly used when users have a proprietary applica:on running on
their network
o For example: All traffic going to host 10.100.100.42 on port 443 is recognized to
be MySpecialApplica:on
- State-based decoders
o This method is implemented in the source code and determines the applica:on
by analyzing the payload for mul:ple markers
o For example: If we see A followed by B then applica:on = X; if we see A followed
by C, then applica:on = Y
- Signature matching
o Basic string matching in the payload
o Custom signatures are allowed
- Port-based matching (port 80 = hPp, and so on)
Flows per minute (FPM) burst handling
- Flows are temporarily stored in an overflow buffer if the FPM license is exceeded
- Every log source protocol has an overflow buffer of 100,000 events
- If the overflow buffer fills up, the addi:onal flows are dropped
- Flow Collector can handle an event burst for up to 15 seconds
Event Collector architecture
- Collector gathers events from local and remote sources
- normalizes events and classifies them into low- and high-level categories
- Log Sources are automa:cally discovered amer record analysis
- gathers iden:cal events to conserve system usage by a process known as coalescing
- Events are parsed by Log Source parser threads
- EPS license is checked
Autodiscover of Log Sources
- essen:al module for automa:ng a successful evalua:on or deployment
- Categorizes traffic from devices that are unknown to the system
- Creates a new Log Source if detec:on is successful on an IP address
- Carries out detec:on only on event protocols that are “pushed” to the Event
Collector, ex: syslog
Log Source parsing uses QID mapping
QID (QRadar Iden0fier) is a unique ID that links the extracted Log Source Event ID to a QID
- The Log Source parser extracts the Log Source Event ID from the log record
- Each QID number relates to a custom Event Name, descrip:on, severity and event
category informa:on
- The event category informa:on is structured into High Level Categories (HLC) and
Low Level Categories (LLC); every QID is linked to one of these low-level categories
Events per second (EPS) burst handling
- Events are temporarily stored in an overflow buffer if the EPS license is exceeded
- Every log source protocol has an overflow buffer of 100,000 events
- If the overflow buffer fills up, the addi:onal events are dropped
- Event Collector can handle an event burst for up to 15 seconds
Event Processor architecture
- Every single event and flow is tested against all enabled rules in the rules engine
- New offenses are created by the Magistrate (see Console)
- If a new port or host is detected, an asset profile is updated or created in the
PostgreSQL database (see Console)
- Events are accumulated every minute and stored in the accumulator Ariel database
- Events and flows are stored in the events or flows Ariel database
- EPS license is checked and enforced

Custom Rules Engine (CRE)
- Every single event or flow is tested against all enabled rules; matched rules can have
a response or result
- Matched rules might trigger the crea:on of an offense or create a CRE event that
triggers the crea:on of an offense
- Mul:ple matched events, flows, and matched rules might correlate into a single
offense
- A single event or flow can be correlated into mul:ple offenses
- By default, rules are tested against events or flows received by a single Event
Processor (local rules)
- Global Cross Correla:on (GCC) allows rules tes:ng across mul:ple Event Processors
in the QRadar SIEM deployment
Console architecture
- The Magistrate creates and stores offenses in the PostgreSQL database; these
offenses are then brought to the analyst’s aPen:on in the interface
- The Magistrate instructs the Ariel proxy to gather informa:on about all events and
flows that triggered the crea:on of an offense
- The Anomaly Detec:on Engine (ADE) searches the Accumulator databases for
anomalies, which are then used for offense evalua:on
- The Vulnerability Informa:on Server (VIS) creates new assets or adds open ports to
exis:ng assets based on informa:on from the Eps
Offense management by the Magistrate
- Rules can correlate events and flows into a single offense
- A single event or flow can belong to mul:ple offenses
- While rules are tested, they might lead to the crea:on of an offense
- Pending offenses tag the events and flows as long as the rule that triggered the
crea:on of the offense remains at least par:ally matched
- A maximum of 100,000 offenses can be stored
Offense types
- An Open Offense that is created remains an Ac0ve Offense as long as the rules that
triggered the offense crea:on are matched by events or flows within 30 minutes
amer the last match has been found; new tags of events or flows are added to the
Ac:ve Offense
- If an Open Offense did not find addi:onal matches for more than 30 minutes, it
becomes a Dormant Offense
- A Dormant Offense becomes ac:ve again when addi:onal matches are found within
5 days amer the offense became dormant, and it is now called a Recalled Offense;
new tags of events or flows are added to the Recalled Offense
- Amer a Dormant Offense has not received any matches within 5 days amer it became
dormant, it turns into an Inac0ve Offense
- Open Offenses can manually be turned into Closed Offenses
- If events or flows are matched to an Inac:ve Offense or Closed Offense, a new Open
Offense is created
- A maximum of 2,500 Ac:ve Offenses and 500 Recalled Offenses are allowed
- Closed and Inac:ve Offenses are subject to reten:on management