The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘QRadar’ Category

Harvard-ITSecurity / qradar-seculert-push

Posted by Xavier Ashe on December 14, 2012

What is it?

A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.

How does it work?

You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).

Read more and get the script on GitHub.

Posted in IBM, QRadar, Security Intelligence | Leave a Comment »

New features in QRadar 7.1

Posted by Xavier Ashe on October 29, 2012

Stolen from the QRadar 7.1 Release notes:

 

  • Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
    • For systems that previously used the CentOS operating system, the operating system is replaced with the Red Hat Linux 6.2 operating system.
    • For systems that previously used the Red Hat Linux 5.7 operating system, the operating system is upgraded to the Red Hat Linux 6.2 operating system.

      If your system is configured with off-board storage solutions, you are required to remount your storage solutions during the upgrade process. We recommend that you carefully read the Upgrading to QRadar Release 7.1 Guide and the Reconfiguring Offboard Storage After Upgrading to QRadar 7.1 Technical Note.

  • New WinCollect Agent – QRadar 7.1 introduces WinCollect and the WinCollect agent for collecting and managing Windows-based events using the Admin tab in QRadar. For more information on WinCollect, see the WinCollect User Guide.
  • New Vulnerability Details Page on the Assets Tab – QRadar 7.1 introduces the Research Vulnerability Details window, which you can access from the Assets tab. The Research Vulnerability Details window provides information about known vulnerabilities detected by third-party scanners. Vulnerability information and identifiers are sourced from external references, such as the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB). QRadar 7.1 also includes the ability to import vulnerability data from scanners that do not store data with OSVDB or NVDB references, such as IBM Appscan Enterprise.
  • New Index Management – The Index Management feature is accessed from the Admin tab. Index Management allows you to control database indexing event properties. By enabling indexing on event properties, you can optimize the speed of your searches.
  • New Dedicated Event Collector Appliance and Supporting Store and Forward – QRadar 7.1 introduces the QRadar 1501 appliance, which is a dedicated Event Collector. This appliance is also available as the QRadar 1590 virtual appliance.
  • Using Store and Forward accessed from the Admin tab, you can now store events on your dedicated Event Collector during your business hours. These events can be forwarded to an Event Processor during periods of time when the transmission does not negatively affect your network bandwidth. For example, you can configure a dedicated Event Collector to only forward events to an Event Processor during non-business hours, such as midnight until 6 AM.
  • Updated VFlow Collector Installation Procedure – The VFlow Collector installation procedure is updated to make the process consistent with the virtual appliance installation process. For more information, see the QRadar Installation Guide.

Posted in IBM, QRadar, Security, Security Intelligence | Leave a Comment »

QRadar and QRM 7.1 are Generally Available!

Posted by Xavier Ashe on October 5, 2012

The QRadar Product Management team is very glad to announce the General Availability (GA) of QRadar SIEM and Risk Manager Version 7.1.  Another major milestone of the QRadar product, QRadar 7.1 delivers several new key features to meet the needs of our current and future customers, a new appliance and new tools to provide more flexibility in deploying the QRadar solution, and great usability features to increase the visibility to more security intelligence data, as well as the ability to better optimize and tune QRadar.

The new features of QRadar SIEM 7.1 consist of:

  • Index Management:  More refined control over the creation of indexes used for searches and exposure of field and index usage statistics, enabling more efficient storage utilization and performance optimization.
  • Store and Forward: Capability of collecting and storing events by a new appliance, Event Collector (EC), in a remote location and forwarding events to an upstream Event Processor for analysis based on a pre-determined policy,  allowing effective log collection at remote network locations with unreliable network connections or bandwidth constraints.
  • Import/Export of Security Contents: Ability to export security and configuration content on a QRadar system to an external, portable format which then can be imported into another QRadar system, with a command line interface, enabling quick deployment of a new QRadar system or sharing of security contents across systems.
  • Vulnerability Details Screen – Enhanced GUI screens to display detailed vulnerability data imported from third party vulnerability scanner products, allowing customers to fully explore the nature and relevance of vulnerabilities on the hosts involved in QRadar detected incidents and offenses.
  • WinCollect: Complete centralized control of local and remote Windows event collection, with bulk adding of servers, per server troubleshooting, automated deployment and update of policy and agent itself.  Also includes tuning for different environments and support for latest capabilities like XPath queries.

The new features of QRM 7.1 consist of:

  • P2P Networks: Support for point-to-point networks, such as VPNs and serial links. This allows customers to add these links to their QRM network topology.
  • Firewall Rule Reporting: Perform comprehensive reporting on firewall rules, including shadowed, most and least used rule reports. Reports can be generated across multiple firewalls and is full integrated into the QRadar reporting engine.
  • Enhanced Policy Monitoring:  Monitor policy question passes and failures, typically required for compliance reporting. Customers can now generate reports that show that network policies have been in compliance over a given period of time, in addition to those which were not compliant.

Posted in IBM, QRadar | 2 Comments »

QRadar HowTo: Adjust Severity from Payload

Posted by Xavier Ashe on September 17, 2012

The way that QRadar assigns severity is based on the QID. So each event that has a specific event name gets mapped to a specific QID, then gets a specific severity. This is a very good model for many scenarios. However, there are other situations that require parsing the severity out of the event and overriding the QID set severity. For example, you may get a more generic QID like “Threat Detected”. These all get put in at a high severity, which throws off several out-of-the-box rules and makes your magnitude score less useful.

To change this, it will take several steps. First you must create a Custom Extracted Property to pull out the new severity. Be sure to check the box for “Optimize for rules and reports”. I’ll use Snort and Palo Alto as an example. I created a new property called “Event Severity” and used this regex:

\[Priority:\s+(\d+)

Here’s one for Palo Alto:

\(\d+\),.*?,(\w+)

Snort uses a number 1-5 and Palo Alto has 5 different text strings (low, medium, high, etc.). The next step is to create five rules for each log source type. Here’s an example of the snort rule.

Apply Snort Severity Adjustment – 1 on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches Priority is 1

Or Palo Alto:

Apply PASeries Severity Adjustment – Low on events which are detected by the Local system
and when the event(s) were detected by one or more of Palo Alto PA Series
and when the event matches PA Severity is low

The rule response for these rules is to set the Severity to the appropriate number and annotate the event. Both of these examples have 5 levels of severity, so I used 2, 4, 6, 8, and 10 in QRadar.  Create all five rules and you are set!

Now you should get better magnitude scores and less false positives from rules like “Exploit: Exploits Events with High Magnitude Become Offenses”.

Posted in QRadar | Tagged: , | Leave a Comment »

TSIEM to QRadar Transition Guide, finally published!

Posted by Xavier Ashe on July 24, 2012

This publication took longer to get through the gears of IBM, but it’s now publicly available. Don’t forget, this guide covers transitioning from IBM Tivoli Compliance Insight Manager (TCIM) as well.

Click here to download the IBM Tivoli Security Information and Event Manager to IBM QRadar Transition Guide.

Abstract:

IBM Tivoli Security Information and Event Manager (TSIEM) was developed as a compliance management monitoring and reporting product for various operating systems, applications and devices. IBM acquired Q1 Labs in 2011 with its industry-leading security intelligence platform QRadar, providing a security solution that can be used across the entire network.

Anyone who is planning a transition of TSIEM to QRadar should read this document first to deter-mine what steps should be considered to create a transition plan. This document provides a high level description of the steps rather than the detailed technical description of how to perform the actual transition. Tooling is not part of this document although the description may help in designing such tooling. IBM Services or any other IBM Business Partner can help produce the appropriate toolbox to automate the transition. The customer should be prepared to keep their TSIEM installation to support historical reporting or log archive management to meet their compliance or audit requirements. This transition document therefore should only address the replacement of TSIEM by QRadar within the context of regulatory compliancy.

This document will provide a basic overview of TSIEM to QRadar data migration capabilities and options, as well as data storage principles.

Posted in IBM, QRadar, Security Intelligence, TCIM, TSIEM | Leave a Comment »

Transitioning from TSIEM to QRadar – Terminology

Posted by Xavier Ashe on May 21, 2012

The transition guide from IBM Tivoli Security Information and Event Manager (TSIEM) to IBM QRadar is essentially complete. I still have to get it formatted to the standard template, though. We are also figuring out internally where to post it officially, but once I fix the formatting, it will be available here.

Until then, you can wet your appetite with this terminology chart.

TSIEM

QRadar

Agent Adaptive Log Exporter, Event Processor
Agent group Log Source Group
Alerts Rule Response
Archiving Data Backup & Restore
Audited machine Asset and/or Log Source
Backup & Restore Backup & Restore
Chunk No equivalent – data is stored together in Ariel
Compliance Dashboard Dashboard
Compliance Management Module No equivalent – all reports are included in QRadar
Consolidation component Magistrate
Credential Store Credentials are stored in Postgres
Depot Ariel
Distribution Email distribution is configured within the report definition
Enterprise Server 31xx console in a distributed deployment
Event Source Log Source
Forensics component Payload search (with optional indexing)
Group Definitions Building Block
GSL Parser Universal Device Support Module (uDSM) XML file
GML Mapper Map Event – available in the GUI
Launchpad (Tivoli Integrated Portal) Console GUI
Log Continuity Report No equivalent due to use of syslog for most log sources
Log History Report QRadar report called “Errors and Failures”
Log Manager Dashboard Log Sources in the Admin tab
Log Management Activity Report QRadar report: (Daily, Weekly, or Monthly) Log/Event Distribution by Category
Log Management component QRadar Log Manager
Log Management Depot Investigation

Tool

Payload search (with optional indexing)
Log Management Retrieval Tool >“Raw Log” view in Log Activity
Normalization component Built-in to QRadar, required part of the event processor
Policy Building Block
Policy Explorer/Editor Rules/Building Blocks Editor
Policy Generator QRadar Tuning Guide
Regulations Contained within QRadar reports
Reporting Database No equivalent – QRadar is real-time, with all data going into the same Ariel datastore
Security Information Management (SIM) component Security Information and Event Management (SIEM) component
Security Group All QRadar deployments use one User store, the console appliance, unless external authentication is configured
Scoping User Role (scope by network hierarchy) and User Account (scope by Log Sources)
Significance Magnitude
Special Attention Rule Building Block or Rule
Standard Server All-in-one Console
Trending Time Series
User Information Source Reference Set
User Roles User Roles
W7 No equivalent term, but QRadar has a standard normalization scheme as well

Posted in IBM, QRadar, Security, TSIEM | Tagged: | Leave a Comment »

TSOM, TSIEM, and QRadar at IBM Pulse

Posted by Xavier Ashe on March 5, 2012

IBM Pulse has begun in Las Vegas!  Monday morning I will be presenting at the “Proven Practices Workshop: Security” from 10-11am in the Expo Theater 1.  I will have copies of the pre-release version of “Transitioning from Tivoli Security Operations Manager to QRadar” Redpaper, but all you blog followers out there can get it here.

Transitioning from TSOM to QRadar v1.0

I will be getting this submitted as an official IBM Redpaper.  I’m still working on the TSIEM to QRadar paper, but I’ll be talking about it tomorrow.

Posted in IBM, QRadar, TSIEM, TSOM | 2 Comments »

Transitioning from TSOM to QRadar – Terminology

Posted by Xavier Ashe on February 21, 2012

I am getting close to my first draft of the Tivoli Security Operations Manager (TSOM) to QRadar. Here’s a peek of one useful chart, Transition Terminology. Feedback is appreciated!

Tivoli Security Operations Manager QRadar

Action (rules)

Response

Audit (internal audit)

Audit

Atomic Threat Score

Magnitude

Auto Configuration (EAM)

Auto Discovery

Central Management Server (CMS)

Console

Condition (rules)

Condition

Conduit

Protocol

Correlation Engine

Magistrate

Device Rules

Device Support Module

Event Aggregation Module

Event Processor and Event Collector

Event Class

Category (low-level and high-level)

Event Console

No term, but its the default view once click on the Log Activity Tab

Event Element (rules)

Event Property

Event Filter (EAM)

Routing Rule

Event Filter (Powergrid, Event Viewer)

Search, Saved Search

Event Filter (Event Class)

Classification is handle automatically

Event Filter (Rules)

Rule Test

Event Rate

Events per Second (EPS)

Event Severity

Severity

Event Type

Event Name

Firewall Blocking (OPSEC)

Trusted Networking Computing (TNC) and Interface For Metadata Access Points (IF-MAP)

Geoserver

Geographic Networks

Group (user)

No equivalent

Host

Asset

Host Asset Weight

Asset Weight

Host Criticality Weight

Asset Weight

Host Investigation Tool

Right Click Menu

Host Query (rule condition)

Host Profile Tests

Keystore

No equivalent, automatically managed

Knowledge Base

Offense Notes

Location

Location

Master Netblock

No equivalent

Meta-event

Dispatch New Event

Netblock

Network (Network Hierarchy or Remote Network)

Netblock Asset Weight

Network Weight

Netblock Source Threat

Network Weight

Password Policy

No equivalent

PowerGrid

No term, but you view events in the Log Activity tab. Once you group log data using the Display list box, the log view operates similar to the PowerGrid

Reports

Reports

Role (user)

Role

Security Content (import script)

Content comes preloaded and is updated via Automatic Update.

Security Domain

Network Hierarchy

Sensor

Log Source

Sensor Class

Log Source Group

Sensor Type

Log Source Type

Simple Condition (rule)

Rule Test

State Action (complex state)

Handled automatically when you create a Function Test

State Condition (complex)

Function – Sequence Test

State Condition (simple)

Function – Counter Test

State Table

Handled automatically when you create a Function Test

Stateful Action

Handled automatically when you create a Function Test

Stateful Rules

Rules

System Configuration

System Configuration

System Status

System Monitoring Dashboard

Threat Correlation (statistical correlation)

No term, but the Magnitude is calculated in a similar manner as the Threat Score.

Threat Parameter

No Equivalent – Handled automatically

Ticket

Offense

Token

No Equivalent

Top Sources and Top Destinations

Can be viewed in the Log Activity tab

Universal Collection Agent

Adaptive Log Exporter and tail2syslog script

User Account

User Account

Vulnerability

Vulnerability

Vulnerability Import

Vulnerability Assessment

Watchlist

Reference Set

Posted in QRadar, TSOM | 2 Comments »

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Posted by Xavier Ashe on February 7, 2012

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!

Posted in IBM, QRadar, Security, Security Intelligence, TSIEM, TSOM | Leave a Comment »

 
%d bloggers like this: