IBM QRadar Security Information & Event

Management (SIEM)

Padmaja Deshmukh
Senior Consultant, IBM Security Services

9th January 2019

 Agenda

• SIEM Overview
• Key capabilities of IBM QRadar SIEM solution
• IBM QRadar Deployments
• QRadar Architecture
• Event Pipeline
• Demonstration of the QRadar Dashboard
• Log Activity - Events and Offenses
• Building blocks and Rules
• Reports

2 IBM Security
 SIEM Overview

A SIEM solution is a DETECTIVE system not a “Repressive” or “corrective”. Means it

cannot take action, it can supply information and intelligence, but not “do something”.
1. Alert on “real-time exploits”
2. Assist with compliance auditing
3. Assist in forensic investigation

3 IBM Security
 Solution for full compliance and Security Intelligence Timeline

Are we configured to
What are External & What is happening right
protect against these What was the Impact ?
Internal Threats ? now ?
threats ?

Vulnerability Pre-Exploit Exploit Post-Exploit

Remediation

PREDICTION / PREVENTION PHASE REACTION / REMEDIATION PHASE

QRadar Risk Incident

SIEM & UBA Incident
Vulnerability Manager Response
Forensics
Manager (QVM)

Security Intelligence

4 IBM Security
 Key QRadar SIEM Capabilities

▪ Ability to process security-relevant data from a wide variety of sources like firewall,
routers, servers etc.
▪ Collection, Normalization, Correlation, and Secure storage of raw events, network flows,
vulnerabilities, assets, and threat intelligence data.
▪ Layer 7 payload capture.
▪ Comprehensive search capabilities
▪ Monitor host and network behavior changes that could indicate an attack or policy breach
such as these examples - Off hours or excessive usage of an application or network
activity patterns inconsistent with historical profiles.
▪ Prioritization of suspected attacks and policy breaches.

5 IBM Security
 Contd..

▪ Notification by email, SNMP, and others.

▪ Many generic reporting templates included.
▪ Scalable architecture to support large deployments.
▪ Single user interface

6 IBM Security
 QRadar Deployments

▪ QRadar offers a lot of flexibility in how it is deployed. It offers deployment options on

Appliances or customer purchased hardware, You can also deploy to VMware or Cloud.
▪ In this deck we will be covering building a deployment from a basic All in One to a more
complex system with many managed hosts.

ON PREM AS A SERVICE CLOUD HYBRID

7 IBM Security
 Contd..

Console
▪ “BRAIN" of the deployment.
▪ All configuration is done here.
▪ The Console also hosts the web interface.
Managed Host
▪ These are the little worker bees.
▪ They collect event and flow data, store the data locally, and are searchable via the
console.
▪ Managed hosts come in several different forms like Event Collector, Event processor,
Flow Collector, Flow processor, Data Node.

8 IBM Security
 QRadar Components

Console
▪ Provides the QRadar product user interface.
Event Collector
▪ Gathers events from local and remote log sources.
▪ Normalizes raw log source events.
Event Processor
▪ Processes events that are collected from one or more Event Collector components.
▪ The Event Processor correlates the information from QRadar products and distributes
the information to the appropriate area, depending on the type of event.

9 IBM Security
 Contd..

Flow Collector
▪ Passively collects traffic flows from your network through span ports or network taps.
▪ The IBM Security QRadar QFlow Collector also supports the collection of external flow-
based data sources, such as NetFlow, J-Flows.
Flow Processor
▪ The Flow Processor processes flows from one or more QRadar QFlow Collector
appliances.
Data Node
▪ Data Nodes enable new and existing QRadar deployments to add storage and
processing capacity on demand as required.
▪ Data Nodes help to increase the search speed in your deployment by providing more
hardware resources to run search queries on.

10 IBM Security
 QRadar Data Sources

QRadar receives and processes data from three primary sources:

1. Events - Messages or events of interest that are sent from various security devices on
a customer network. Typically sent over syslog but many other protocol sources are
supported.
2. Flows - A flow represents the network traffic / connection between two entities on your
network. At any given time, a flow is unique by 5 tuple – Source IP, Dest IP, SourcePort,
Dest Port, protocol.
3. Vulnerabilities - The rest of actively scanning the assets on a customer network to find
open ports and vulnerable services.

11 IBM Security
 QRadar Data Flow

Vulnerabilities
Events Flows

Reports
Vuln Integration
Service

Historical
Event / Flow
Flow Processor Correlation
Collector
Tomcat
Asset Profiler
Event / Flow
Processor Searches

Ariel Database
Accumulator

Offline Users
Magistrate
Forwarder

Postgress Database

12 IBM Security
 Arial Components

Arial Proxy Arial Query

server Server

Event / Flow Offline

Processor Forwarder

Ariel Database

Accumulator

13 IBM Security
 Event Pipeline

14 IBM Security
 Event Collector Component

Protocol

Throttle Filter
(Licensing)

Event Collector Identity Information Parsing

(EC) (to AP)
(DSM / LSX)

Coalescing
Event Processor

Event Forwarding
Magistrate

Event Correlation Server

EC - Responsible for parsing and normalizing incoming events.

15 IBM Security
 Contd..

▪ Protocols – Reads or pulls raw data from network devices.

▪ Licensing – On a second by second basis, slows down the incoming rate so it does not
exceed the license on the appliance.
▪ Parsing – DSMs / LSX / CEP – take the raw data and normalize it into a common
structure.
▪ Coalescing “Event Compression” – Find nearly identical events and delete one and
increase the event count on the record. Key is: source IP, dest IP, dest port, QID,
username.
▪ Event Forwarding – Applies routing rules for the system

16 IBM Security
 Event Processor Component

Event Collector
Custom Rules Engine
(EC)
(CRE) Correlation

Event Processor
Storage & Indexing in
Ariel

Magistrate
Streaming (real-time
view in the search
Event Correlation Server screen)

EP – Responsible for correlation and storage

17 IBM Security
 Contd..

▪ CRE – Applies the correlation rules that were created in the UI.
▪ Storage – Streams the incoming events to ariel data files and indexes on the fly.
▪ Streaming – Responsible for the “real time (streaming)” view in the event viewers.

18 IBM Security
 Magistrate Component

Event Collector
(EC)
Offense Rules
Event Processor
(EP)

Offense Management
Magistrate

Offense Storage

Magistrate – Responsible for correlating offenses with event notifications from multiple
Event Processor (EP) components. Only the Console will have a Magistrate component.

19 IBM Security
 Contd..

▪ Offense rules - Monitors and takes actions on offenses, such as generating email
notifications.
▪ Offense management - Updates active offenses, transitioning inactive offenses to active
and provides access to offense information to the user through the Offenses tab.
▪ Offense storage - Writes offense data to a Postgres database.

20 IBM Security
 QRadar Dashboard

▪ The Dashboard tab is the default view when you log in.
▪ It provides a workspace environment that supports multiple dashboards on which you
can display your views of network security, activity, or data that is collected.
▪ You can customize your dashboards to display and organize the dashboards items that
meet your network security requirements.
▪ The content that is displayed on the Dashboard tab is user-specific.
▪ 255 dashboards per user is the maximum; however, performance issues might occur if
you create more than 10 dashboards.
▪ Move and position items to meet your requirements. When you position items, each item
automatically resizes in proportion to the dashboard.

21 IBM Security
 Demonstration of the QRadar Dashboard

22 IBM Security
 Custom Rule Engine (CRE) - Rules Vs Building Blocks

Building blocks
▪ Just like rules – except no actions or responses
▪ Only executed if there is another rule or building block that depends on it
Rules
▪ Actions and responses
▪ The rule reader examines the rules, figures out dependencies, and orders the rule
execution accordingly.

23 IBM Security
 Global versus Local Rules

Local Rule
It evaluates the rule tests against the local appliance to trigger the rule. This is the default
action.
Global Rule
It means that the CRE on the Console tracks the event matches as provided by each
managed host in the deployment. As partial matches are made or counters need to be
updated, each managed host sends an update to the CRE on the Console. When the
overall rule becomes true, the Console triggers the rule response.
Be mindful of bandwidth and load on the console!

24 IBM Security
 Offenses – How does the CRE fits in ?

CRE
▪ Analyses incoming data and picks out the bad bits based on the rules provided.
▪ Anything flagged as bad (“contribute to offense”) to be sent to magistrate

Magistrate
▪ Takes all of the “evidence” and creates offenses – or cases based on it.

25 IBM Security
 Investigating an offense

The Magnitude rating of an offense is calculated based on Relevance, Severity, and

Credibility.

▪ Relevance : It determines the impact of the offense on your network. For example, if
a port is open, the relevance is high.

▪ Credibility : It indicates the integrity of the offense as determined by the credibility

rating that is configured in the log source. Credibility increases as multiple sources
report the same event.

▪ Severity : It indicates the level of threat that a source poses in relation to how
prepared the destination is for the attack.

26 IBM Security
 Contd..

▪ Top 5 Source IPs

▪ Top 5 Destination IPs
▪ Top 5 Log Sources
▪ Top 5 Users
▪ Top 5 Categories
▪ Last 10 Events
▪ Last 10 Flows
▪ Annotations
▪ Offense Summary Toolbar

27 IBM Security
 Acting on an Offense

▪ Follow up: Choose if you want to revisit the offense.

▪ Hide: Use with caution because QRadar SIEM still
updates the offense; alarming updates can stay
hidden.
▪ Protect Offense: Prevent QRadar SIEM from
deleting the offenses.
▪ Close: When you have resolved the offense, close
it.
▪ Assign: Delegate the offense to another QRadar
SIEM user.

28 IBM Security
 Asset Profiles

▪ An asset is any type of system or host in the network

▪ Asset profiles store a wealth of information about the system resources, such as these
examples
- Name
- IP addresses
- Operating system
- Vulnerabilities
- Services
- Other resource information
▪ Use asset profiles to investigate each source and destination IP address of an offense

29 IBM Security
 Contd..

Asset information is used throughout QRadar SIEM. For example, if a source attempts to
attack a specific service running on a specific asset, QRadar SIEM can determine if the
asset is vulnerable to this attack by correlating the attack to the asset profile.

Note : QRadar SIEM is not a full-fledged asset management system.

30 IBM Security
 Reports

Instructor Demonstration of the QRadar Reports

31 IBM Security
 User Interface – Admin Tab

32 IBM Security
 High Availability (HA)

▪ QRadar’s HA feature allows you to build redundancy into your deployment to defend
against hardware failure. When deploying HA you create a HA Cluster consisting of a
primary and secondary node, ideally the hardware will be identical.
▪ Failover takes 3-10 minutes depending on the hardware class and function in the
deployment.
▪ Consoles take the longest to fail over since there are more services to restart.
▪ A VIP ( Virtual IP ) is shared between the two nodes in the cluster, when a failover is
detected the surviving appliance assumes control of the VIP.

33 IBM Security
 HA - DRBD

The Nodes are synced together using a combination of DRBD for Ariel and Postgres data
and rsync for configuration files. By using DRBD for Ariel we ensure data integrity within the
cluster.

What is DRBD and how do we use it?

• DRBD ( Distributed Replicated Block Device ) is a method of replicating block device
storage within linux. It replicates all data including the filesystem to the secondary node.
• When a QRadar appliance is configured as a node in an HA cluster the /store partition is
layered with DRBD to allow replication of all Data written to the partition.
• The QRadar implementation of DRBD runs in synchronous mode. This means that all
data written on the Active node is replicated to the Standby node before the write is
considered complete. This keeps the Primary and Secondary Node in perfect sync.
• Because DRBD is run in synchronous mode it is very sensitive to network speed and
latency.

34 IBM Security
 HA – Network Latency

• The connection between the primary and secondary HA host has a minimum bandwidth
of 1 gigabits per second (Gbps).
• The latency between the primary and secondary HA host is less than 2 milliseconds
(ms).
• Latency on Fiber not including switches/etc is 0.82 milliseconds per 160km, this means
when attempting to stretch HA over a WAN is extremely difficult to meet the latency and
bandwidth requirements.
• Every QRadar appliance ships with two 10 Gbps ports, if possible one of these should be
used for a crossover link between the primary and secondary node. This offers a number
of advantages including:

- Increase resiliency to network switch failure ( cable and network card become only
points of failure )
- Increase sync speed, without the crossover cable all disk replication happens over the
management interface which is often only 1Gbps

35 IBM Security
 Questions

36 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informati onal purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.