TSOM, TSIEM, and QRadar at IBM Pulse

IBM Pulse has begun in Las Vegas!  Monday morning I will be presenting at the “Proven Practices Workshop: Security” from 10-11am in the Expo Theater 1.  I will have copies of the pre-release version of “Transitioning from Tivoli Security Operations Manager to QRadar” Redpaper, but all you blog followers out there can get it here.

Transitioning from TSOM to QRadar v1.0

I will be getting this submitted as an official IBM Redpaper.  I’m still working on the TSIEM to QRadar paper, but I’ll be talking about it tomorrow.


Transitioning from TSOM to QRadar – Terminology

I am getting close to my first draft of the Tivoli Security Operations Manager (TSOM) to QRadar. Here’s a peek of one useful chart, Transition Terminology. Feedback is appreciated!

Tivoli Security Operations Manager QRadar

Action (rules)


Audit (internal audit)


Atomic Threat Score


Auto Configuration (EAM)

Auto Discovery

Central Management Server (CMS)


Condition (rules)




Correlation Engine


Device Rules

Device Support Module

Event Aggregation Module

Event Processor and Event Collector

Event Class

Category (low-level and high-level)

Event Console

No term, but its the default view once click on the Log Activity Tab

Event Element (rules)

Event Property

Event Filter (EAM)

Routing Rule

Event Filter (Powergrid, Event Viewer)

Search, Saved Search

Event Filter (Event Class)

Classification is handle automatically

Event Filter (Rules)

Rule Test

Event Rate

Events per Second (EPS)

Event Severity


Event Type

Event Name

Firewall Blocking (OPSEC)

Trusted Networking Computing (TNC) and Interface For Metadata Access Points (IF-MAP)


Geographic Networks

Group (user)

No equivalent



Host Asset Weight

Asset Weight

Host Criticality Weight

Asset Weight

Host Investigation Tool

Right Click Menu

Host Query (rule condition)

Host Profile Tests


No equivalent, automatically managed

Knowledge Base

Offense Notes



Master Netblock

No equivalent


Dispatch New Event


Network (Network Hierarchy or Remote Network)

Netblock Asset Weight

Network Weight

Netblock Source Threat

Network Weight

Password Policy

No equivalent


No term, but you view events in the Log Activity tab. Once you group log data using the Display list box, the log view operates similar to the PowerGrid



Role (user)


Security Content (import script)

Content comes preloaded and is updated via Automatic Update.

Security Domain

Network Hierarchy


Log Source

Sensor Class

Log Source Group

Sensor Type

Log Source Type

Simple Condition (rule)

Rule Test

State Action (complex state)

Handled automatically when you create a Function Test

State Condition (complex)

Function – Sequence Test

State Condition (simple)

Function – Counter Test

State Table

Handled automatically when you create a Function Test

Stateful Action

Handled automatically when you create a Function Test

Stateful Rules


System Configuration

System Configuration

System Status

System Monitoring Dashboard

Threat Correlation (statistical correlation)

No term, but the Magnitude is calculated in a similar manner as the Threat Score.

Threat Parameter

No Equivalent – Handled automatically




No Equivalent

Top Sources and Top Destinations

Can be viewed in the Log Activity tab

Universal Collection Agent

Adaptive Log Exporter and tail2syslog script

User Account

User Account



Vulnerability Import

Vulnerability Assessment


Reference Set

Transitioning From TSIEM and/or TSOM to QRadar – Intro

Hello SIEM world. I have been working with IBM SIEM products for years now and we have come along way. Some products can grow with the changing tides of customer needs, while other times we must leapfrog the competition and acquire a new technology. I am so excited to get to work with the new products from Q1 Labs, QRadar and QRisk Manager. We still have TSIEM and TSOM available, but a couple of customers have asked me about transitioning to QRadar. I will be at IBM Pulse this year covering the topic. I’ve decide to post my materials here as I develop them.

Tivoli Security Operations Manager, or TSOM, is used for automating the tasks of a Security Operations Center (SOC), big or small. It’s real-time and statistical correlation allows customers to automate many responses to events and manage large amounts of data from a vast collection of endpoints, mostly networking and security devices. It enabled security personnel to quickly drive to the source of a problems or flag it as a false positive.

Tivoli Security Information and Event Manager, or TSIEM, is used to develop rich reporting for user based activities. The tool collects from operating systems, databases, and applications, allowing customers to track user activities throughout their network. The resulting reports were meaningful and concise, allowing for reports to be consumed by non-technical staff and auditors to pass compliance.

To get the best of both worlds, we integrated the two to get a powerful, flexible architecture. The two products work very well together, getting the best out of both worlds, security and user compliance. I’ve deployed this dual architecture all over the world (and still have at least more more to do this year).

Now we have added QRadar from Q1 Labs to the mix. QRadar is a powerful security analytics tool that brings unbridled flexibility to the SIEM space. It’s distributed architecture allows for 10-20 times (at least) the events per seconds that TSOM or TSIEM could do, opening the door to new environments for SIEM. One of my favorite features is the Netflow and QFlow analyzers. I’ll be posting a customer story soon about how the combination of event data and flow data allowed us to find an infected host behind a firewall and Citrix server. With QRadar, you get ease of use, tons of automatically updated security content, plus enough flexibility to get this old services guy excited. As the product stands today, I can configure it to do some amazing things. Plus the roadmap is chock full of even more features.

So while you can still get TSOM and TSIEM from IBM, I can see the excitement around QRadar. It’s a whole new class of product and I join you in the excitement. As I develop material around transitioning, I’ll post it here. I think I’ll probably end up writing another Redpaper, like I did when we transitioned from Tivoli Risk Manager to TSOM. If you are going to be at IBM Pulse, please drop me a line. I’d love to hear how you’re using the tools and how I can be of service. Just think about it like this: Go to Pulse and get free consulting!

New Web based Training for TSOM 4.1

IBM Tivoli Security Operations Manager 4.1 – Fundamentals

Course description

In this 4-hour Web-based training course, you will use IBM Tivoli Security Operations Manager 4.1 to learn its fundamentals and operator tasks.


After completing this course, you should be able to:

  • Install and configure IBM Tivoli Security Operations Manager 4.1
  • Configure and collect events from sensors

Course outline

  1. Introduction
  2. Installation
  3. Administration
  4. Investigating Events
  5. Correlating Events

Who will benefit from this course

This course is intended for implementers and administrators who need to correlate security events.

Required skills/knowledge

  • Intrusion detection: Understand the basic concepts of intrusion detection
  • TCP/IP: Understand IP addresses, networks, and ports

Recommended courses

Click here for order information.

IBM software bundle targets retail theft, data breaches

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.

SecureStore, announced Wednesday, combines surveillance and RFID systems with software that protects online and in-store transactions, as well as software that protects databases and applications from network-based threats, IBM said. While SecureStore mainly consists of pre-released products from IBM divisions such as Internet Security Systems (ISS), Tivoli and Rational, Big Blue’s Val Rahmani says it is unique in that it brings together products from various parts of IBM to address one industry segment, and re-architects the products so they fit together and are optimized for retail.

Read the full article on Network World.

TSOM Redbook

Network and resource availability is critical to business and service assurance. But enterprises, federal agencies, and service providers can lose millions of dollars per year as a result of worms and other types of malware that bring down corporate resources and customer-facing services. That is why information security is one of the top concerns of every CIO in any organization. To maximize resource and service availability and protect customer information, today’s information security teams must be able to:

– Quickly recognize and handle security incidents.
– Enforce security policies.
– Support audit and compliance initiatives.

The problem is that each of these activities involves security data that resides throughout the organization. Enterprises and service providers need to be able to access and quickly analyze this time disparate data quickly and efficiently. In today’s complex, multi vendor environments that means leveraging an automated, integrated solution. In response to these challenges, IBM Tivoli Security Operations Manager, a security information and event management (SIEM) platform is designed to improve the effectiveness, efficiency and visibility of security operations and information risk management.

This IBM Redbooks publication helps you design/create a solution using Tivoli Security Operations Manager to centralize and store security data from throughout the technology infrastructure so that you can:

– Automate log aggregation, correlation and analysis.
– Recognize, investigate and respond to incidents automatically.
– Streamline incident tracking and handling.
– Enable monitoring and enforcement of policy.
– Provide comprehensive reporting for compliance efforts.

This book is a valuable resource for security officers, administrators and architects who wish to understand and implement a Security Event and Information Management system.

Download the new IBM Redbook: Deployment Guide Series: IBM Tivoli Security Operations Manager 4.1

TSOM + CloudShield + ISS + Blade = Awesome

IBM (NYSE: IBM) on Tuesday introduced a blade server that supports CloudShield Technologies’ software for real-time analysis of network traffic to prevent viruses and denial of service attacks.

“The IBM BladeCenter PN41 enables service providers to manage their network, security and telecommunications technology on a integrated platform,” Jim Pertzborn, VP of telecommunications industry solutions for IBM Systems Group, said in a statement. “This integration can help service providers meet their customers’ evolving requirements for data, voice and video services.”The new blade and software support are key components of IBM’s hardware, software and services framework for service providers. The package also includes IBM’s intrusion prevention technology and Tivoli Security Operations Manager.

Read the full article on InformationWeek.  I first heard about this project about 2 years ago when I was helping develop solutions for the Telecom group at IBM.  It’s taken a lot of work to get this packaged together and I am glad to see it finally hit the streets.  Other sites that have picked this up: