The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘TSIEM’ Category

TSIEM to QRadar Transition Guide, finally published!

Posted by Xavier Ashe on July 24, 2012

This publication took longer to get through the gears of IBM, but it’s now publicly available. Don’t forget, this guide covers transitioning from IBM Tivoli Compliance Insight Manager (TCIM) as well.

Click here to download the IBM Tivoli Security Information and Event Manager to IBM QRadar Transition Guide.

Abstract:

IBM Tivoli Security Information and Event Manager (TSIEM) was developed as a compliance management monitoring and reporting product for various operating systems, applications and devices. IBM acquired Q1 Labs in 2011 with its industry-leading security intelligence platform QRadar, providing a security solution that can be used across the entire network.

Anyone who is planning a transition of TSIEM to QRadar should read this document first to deter-mine what steps should be considered to create a transition plan. This document provides a high level description of the steps rather than the detailed technical description of how to perform the actual transition. Tooling is not part of this document although the description may help in designing such tooling. IBM Services or any other IBM Business Partner can help produce the appropriate toolbox to automate the transition. The customer should be prepared to keep their TSIEM installation to support historical reporting or log archive management to meet their compliance or audit requirements. This transition document therefore should only address the replacement of TSIEM by QRadar within the context of regulatory compliancy.

This document will provide a basic overview of TSIEM to QRadar data migration capabilities and options, as well as data storage principles.

Advertisements

Posted in IBM, QRadar, Security Intelligence, TCIM, TSIEM | Leave a Comment »

Transitioning from TSIEM to QRadar – Terminology

Posted by Xavier Ashe on May 21, 2012

The transition guide from IBM Tivoli Security Information and Event Manager (TSIEM) to IBM QRadar is essentially complete. I still have to get it formatted to the standard template, though. We are also figuring out internally where to post it officially, but once I fix the formatting, it will be available here.

Until then, you can wet your appetite with this terminology chart.

TSIEM

QRadar

Agent Adaptive Log Exporter, Event Processor
Agent group Log Source Group
Alerts Rule Response
Archiving Data Backup & Restore
Audited machine Asset and/or Log Source
Backup & Restore Backup & Restore
Chunk No equivalent – data is stored together in Ariel
Compliance Dashboard Dashboard
Compliance Management Module No equivalent – all reports are included in QRadar
Consolidation component Magistrate
Credential Store Credentials are stored in Postgres
Depot Ariel
Distribution Email distribution is configured within the report definition
Enterprise Server 31xx console in a distributed deployment
Event Source Log Source
Forensics component Payload search (with optional indexing)
Group Definitions Building Block
GSL Parser Universal Device Support Module (uDSM) XML file
GML Mapper Map Event – available in the GUI
Launchpad (Tivoli Integrated Portal) Console GUI
Log Continuity Report No equivalent due to use of syslog for most log sources
Log History Report QRadar report called “Errors and Failures”
Log Manager Dashboard Log Sources in the Admin tab
Log Management Activity Report QRadar report: (Daily, Weekly, or Monthly) Log/Event Distribution by Category
Log Management component QRadar Log Manager
Log Management Depot Investigation

Tool

Payload search (with optional indexing)
Log Management Retrieval Tool >“Raw Log” view in Log Activity
Normalization component Built-in to QRadar, required part of the event processor
Policy Building Block
Policy Explorer/Editor Rules/Building Blocks Editor
Policy Generator QRadar Tuning Guide
Regulations Contained within QRadar reports
Reporting Database No equivalent – QRadar is real-time, with all data going into the same Ariel datastore
Security Information Management (SIM) component Security Information and Event Management (SIEM) component
Security Group All QRadar deployments use one User store, the console appliance, unless external authentication is configured
Scoping User Role (scope by network hierarchy) and User Account (scope by Log Sources)
Significance Magnitude
Special Attention Rule Building Block or Rule
Standard Server All-in-one Console
Trending Time Series
User Information Source Reference Set
User Roles User Roles
W7 No equivalent term, but QRadar has a standard normalization scheme as well

Posted in IBM, QRadar, Security, TSIEM | Tagged: | Leave a Comment »

TSOM, TSIEM, and QRadar at IBM Pulse

Posted by Xavier Ashe on March 5, 2012

IBM Pulse has begun in Las Vegas!  Monday morning I will be presenting at the “Proven Practices Workshop: Security” from 10-11am in the Expo Theater 1.  I will have copies of the pre-release version of “Transitioning from Tivoli Security Operations Manager to QRadar” Redpaper, but all you blog followers out there can get it here.

Transitioning from TSOM to QRadar v1.0

I will be getting this submitted as an official IBM Redpaper.  I’m still working on the TSIEM to QRadar paper, but I’ll be talking about it tomorrow.

Posted in IBM, QRadar, TSIEM, TSOM | 2 Comments »

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Posted by Xavier Ashe on February 7, 2012

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!

Posted in IBM, QRadar, Security, Security Intelligence, TSIEM, TSOM | Leave a Comment »

 
%d bloggers like this: