The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘Security Intelligence’ Category

Harvard-ITSecurity / qradar-seculert-push

Posted by Xavier Ashe on December 14, 2012

What is it?

A way to grab Seculert’s Crime Servers and Threat Intelligence Records (via their API) and push them into QRadar’s Remote Networks, which then you can build Rules upon. The beauty of this is that in reality it shows you how to more generally push custom “BAD” IPs/Networks into QRadar and auto-deploy them. You can use any list of IPs/networks. If it’s CSV, it should be an absolute breeze to import.

How does it work?

You need to go into ‘seculert_qradar.pl’ and edit the ‘#START USER CONFIG’ section. The first variable you will see is the “seculert” api key – which you can get from your Seculert account (fantastic service http://seculert.com), but again, this can be easily be any CSV list. The idea is that you download both feeds and convert them into the “IP” format that QRadar understands with the “Network” (in this case ‘SECULERT’) ID and the Sub-ID (in this case ‘CS’ and ‘TIR’). Then you pull the existing remotenet.conf file, and prune out the old SECULERT list, and then merge in the new one that you just pulled. Then you upload the new file back to QRadar and auto-trigger the deployment (here is the real qradar magic).

Read more and get the script on GitHub.

Advertisements

Posted in IBM, QRadar, Security Intelligence | Leave a Comment »

New features in QRadar 7.1

Posted by Xavier Ashe on October 29, 2012

Stolen from the QRadar 7.1 Release notes:

 

  • Upgraded Operating System – QRadar 7.1 includes a substantial upgrade to the operating system. During the upgrade process on your system, the following operating system updates occur:
    • For systems that previously used the CentOS operating system, the operating system is replaced with the Red Hat Linux 6.2 operating system.
    • For systems that previously used the Red Hat Linux 5.7 operating system, the operating system is upgraded to the Red Hat Linux 6.2 operating system.

      If your system is configured with off-board storage solutions, you are required to remount your storage solutions during the upgrade process. We recommend that you carefully read the Upgrading to QRadar Release 7.1 Guide and the Reconfiguring Offboard Storage After Upgrading to QRadar 7.1 Technical Note.

  • New WinCollect Agent – QRadar 7.1 introduces WinCollect and the WinCollect agent for collecting and managing Windows-based events using the Admin tab in QRadar. For more information on WinCollect, see the WinCollect User Guide.
  • New Vulnerability Details Page on the Assets Tab – QRadar 7.1 introduces the Research Vulnerability Details window, which you can access from the Assets tab. The Research Vulnerability Details window provides information about known vulnerabilities detected by third-party scanners. Vulnerability information and identifiers are sourced from external references, such as the Open Source Vulnerability Database (OSVDB) and National Vulnerability Database (NVDB). QRadar 7.1 also includes the ability to import vulnerability data from scanners that do not store data with OSVDB or NVDB references, such as IBM Appscan Enterprise.
  • New Index Management – The Index Management feature is accessed from the Admin tab. Index Management allows you to control database indexing event properties. By enabling indexing on event properties, you can optimize the speed of your searches.
  • New Dedicated Event Collector Appliance and Supporting Store and Forward – QRadar 7.1 introduces the QRadar 1501 appliance, which is a dedicated Event Collector. This appliance is also available as the QRadar 1590 virtual appliance.
  • Using Store and Forward accessed from the Admin tab, you can now store events on your dedicated Event Collector during your business hours. These events can be forwarded to an Event Processor during periods of time when the transmission does not negatively affect your network bandwidth. For example, you can configure a dedicated Event Collector to only forward events to an Event Processor during non-business hours, such as midnight until 6 AM.
  • Updated VFlow Collector Installation Procedure – The VFlow Collector installation procedure is updated to make the process consistent with the virtual appliance installation process. For more information, see the QRadar Installation Guide.

Posted in IBM, QRadar, Security, Security Intelligence | Leave a Comment »

TSIEM to QRadar Transition Guide, finally published!

Posted by Xavier Ashe on July 24, 2012

This publication took longer to get through the gears of IBM, but it’s now publicly available. Don’t forget, this guide covers transitioning from IBM Tivoli Compliance Insight Manager (TCIM) as well.

Click here to download the IBM Tivoli Security Information and Event Manager to IBM QRadar Transition Guide.

Abstract:

IBM Tivoli Security Information and Event Manager (TSIEM) was developed as a compliance management monitoring and reporting product for various operating systems, applications and devices. IBM acquired Q1 Labs in 2011 with its industry-leading security intelligence platform QRadar, providing a security solution that can be used across the entire network.

Anyone who is planning a transition of TSIEM to QRadar should read this document first to deter-mine what steps should be considered to create a transition plan. This document provides a high level description of the steps rather than the detailed technical description of how to perform the actual transition. Tooling is not part of this document although the description may help in designing such tooling. IBM Services or any other IBM Business Partner can help produce the appropriate toolbox to automate the transition. The customer should be prepared to keep their TSIEM installation to support historical reporting or log archive management to meet their compliance or audit requirements. This transition document therefore should only address the replacement of TSIEM by QRadar within the context of regulatory compliancy.

This document will provide a basic overview of TSIEM to QRadar data migration capabilities and options, as well as data storage principles.

Posted in IBM, QRadar, Security Intelligence, TCIM, TSIEM | Leave a Comment »

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Posted by Xavier Ashe on February 7, 2012

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!

Posted in IBM, QRadar, Security, Security Intelligence, TSIEM, TSOM | Leave a Comment »

Rise, ancient unused blog! Be Reborn!

Posted by Xavier Ashe on January 16, 2012

Hello World. This poor under used blog needs some love. There is much to talk about. Starting at the beginning of this year IBM create a new software division for most of it’s security software. So I no longer work for Tivoli, but am a proud member of IBM Security Systems. Yes, unfortunately we are using the same ISS acronym. That will make things confusing, so I will do my best to clear things up. ISS is now a full fledged software brand, just like Tivoli, Websphere, Rational and Lotus.

What will I be doing in the new org? I am still in services, meaning that I still am focusing on making out products work for our customers. I’m not in sales, but occasionally help our sales teams. I not in development, but give lots of feedback to our product managers. I build solutions for our customers, and look to build tools and documentation to make it easier and more productive to implement IBM Security Systems.

We have a broad portfolio in the ISS division now, but I will be focusing on Security Intelligence and Data Protection. In particular I am focusing on the recent Q1 Labs acquisition and ensuring their success under big blue. I will be writing future posts about TSOM, TSIEM and QRadar, so stay tuned. I just needed to get this “first post” out the way.

Posted in IBM, ISS, Security Intelligence | 1 Comment »

 
%d bloggers like this: