TSOM, TSIEM, and QRadar at IBM Pulse

IBM Pulse has begun in Las Vegas!  Monday morning I will be presenting at the “Proven Practices Workshop: Security” from 10-11am in the Expo Theater 1.  I will have copies of the pre-release version of “Transitioning from Tivoli Security Operations Manager to QRadar” Redpaper, but all you blog followers out there can get it here.

Transitioning from TSOM to QRadar v1.0

I will be getting this submitted as an official IBM Redpaper.  I’m still working on the TSIEM to QRadar paper, but I’ll be talking about it tomorrow.

Transitioning from TSOM to QRadar – Terminology

I am getting close to my first draft of the Tivoli Security Operations Manager (TSOM) to QRadar. Here’s a peek of one useful chart, Transition Terminology. Feedback is appreciated!

Tivoli Security Operations Manager	QRadar
Action (rules)	Response
Audit (internal audit)	Audit
Atomic Threat Score	Magnitude
Auto Configuration (EAM)	Auto Discovery
Central Management Server (CMS)	Console
Condition (rules)	Condition
Conduit	Protocol
Correlation Engine	Magistrate
Device Rules	Device Support Module
Event Aggregation Module	Event Processor and Event Collector
Event Class	Category (low-level and high-level)
Event Console	No term, but its the default view once click on the Log Activity Tab
Event Element (rules)	Event Property
Event Filter (EAM)	Routing Rule
Event Filter (Powergrid, Event Viewer)	Search, Saved Search
Event Filter (Event Class)	Classification is handle automatically
Event Filter (Rules)	Rule Test
Event Rate	Events per Second (EPS)
Event Severity	Severity
Event Type	Event Name
Firewall Blocking (OPSEC)	Trusted Networking Computing (TNC) and Interface For Metadata Access Points (IF-MAP)
Geoserver	Geographic Networks
Group (user)	No equivalent
Host	Asset
Host Asset Weight	Asset Weight
Host Criticality Weight	Asset Weight
Host Investigation Tool	Right Click Menu
Host Query (rule condition)	Host Profile Tests
Keystore	No equivalent, automatically managed
Knowledge Base	Offense Notes
Location	Location
Master Netblock	No equivalent
Meta-event	Dispatch New Event
Netblock	Network (Network Hierarchy or Remote Network)
Netblock Asset Weight	Network Weight
Netblock Source Threat	Network Weight
Password Policy	No equivalent
PowerGrid	No term, but you view events in the Log Activity tab. Once you group log data using the Display list box, the log view operates similar to the PowerGrid
Reports	Reports
Role (user)	Role
Security Content (import script)	Content comes preloaded and is updated via Automatic Update.
Security Domain	Network Hierarchy
Sensor	Log Source
Sensor Class	Log Source Group
Sensor Type	Log Source Type
Simple Condition (rule)	Rule Test
State Action (complex state)	Handled automatically when you create a Function Test
State Condition (complex)	Function – Sequence Test
State Condition (simple)	Function – Counter Test
State Table	Handled automatically when you create a Function Test
Stateful Action	Handled automatically when you create a Function Test
Stateful Rules	Rules
System Configuration	System Configuration
System Status	System Monitoring Dashboard
Threat Correlation (statistical correlation)	No term, but the Magnitude is calculated in a similar manner as the Threat Score.
Threat Parameter	No Equivalent – Handled automatically
Ticket	Offense
Token	No Equivalent
Top Sources and Top Destinations	Can be viewed in the Log Activity tab
Universal Collection Agent	Adaptive Log Exporter and tail2syslog script
User Account	User Account
Vulnerability	Vulnerability
Vulnerability Import	Vulnerability Assessment
Watchlist	Reference Set

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!