Professional Documents
Culture Documents
IBM QRadar SIEM
IBM QRadar SIEM
Management (SIEM)
Padmaja Deshmukh
Senior Consultant, IBM Security Services
• SIEM Overview
• Key capabilities of IBM QRadar SIEM solution
• IBM QRadar Deployments
• QRadar Architecture
• Event Pipeline
• Demonstration of the QRadar Dashboard
• Log Activity - Events and Offenses
• Building blocks and Rules
• Reports
2 IBM Security
SIEM Overview
3 IBM Security
Solution for full compliance and Security Intelligence Timeline
Are we configured to
What are External & What is happening right
protect against these What was the Impact ?
Internal Threats ? now ?
threats ?
Security Intelligence
4 IBM Security
Key QRadar SIEM Capabilities
▪ Ability to process security-relevant data from a wide variety of sources like firewall,
routers, servers etc.
▪ Collection, Normalization, Correlation, and Secure storage of raw events, network flows,
vulnerabilities, assets, and threat intelligence data.
▪ Layer 7 payload capture.
▪ Comprehensive search capabilities
▪ Monitor host and network behavior changes that could indicate an attack or policy breach
such as these examples - Off hours or excessive usage of an application or network
activity patterns inconsistent with historical profiles.
▪ Prioritization of suspected attacks and policy breaches.
5 IBM Security
Contd..
6 IBM Security
QRadar Deployments
7 IBM Security
Contd..
Console
▪ “BRAIN" of the deployment.
▪ All configuration is done here.
▪ The Console also hosts the web interface.
Managed Host
▪ These are the little worker bees.
▪ They collect event and flow data, store the data locally, and are searchable via the
console.
▪ Managed hosts come in several different forms like Event Collector, Event processor,
Flow Collector, Flow processor, Data Node.
8 IBM Security
QRadar Components
Console
▪ Provides the QRadar product user interface.
Event Collector
▪ Gathers events from local and remote log sources.
▪ Normalizes raw log source events.
Event Processor
▪ Processes events that are collected from one or more Event Collector components.
▪ The Event Processor correlates the information from QRadar products and distributes
the information to the appropriate area, depending on the type of event.
9 IBM Security
Contd..
Flow Collector
▪ Passively collects traffic flows from your network through span ports or network taps.
▪ The IBM Security QRadar QFlow Collector also supports the collection of external flow-
based data sources, such as NetFlow, J-Flows.
Flow Processor
▪ The Flow Processor processes flows from one or more QRadar QFlow Collector
appliances.
Data Node
▪ Data Nodes enable new and existing QRadar deployments to add storage and
processing capacity on demand as required.
▪ Data Nodes help to increase the search speed in your deployment by providing more
hardware resources to run search queries on.
10 IBM Security
QRadar Data Sources
1. Events - Messages or events of interest that are sent from various security devices on
a customer network. Typically sent over syslog but many other protocol sources are
supported.
2. Flows - A flow represents the network traffic / connection between two entities on your
network. At any given time, a flow is unique by 5 tuple – Source IP, Dest IP, SourcePort,
Dest Port, protocol.
3. Vulnerabilities - The rest of actively scanning the assets on a customer network to find
open ports and vulnerable services.
11 IBM Security
QRadar Data Flow
Vulnerabilities
Events Flows
Reports
Vuln Integration
Service
Historical
Event / Flow
Flow Processor Correlation
Collector
Tomcat
Asset Profiler
Event / Flow
Processor Searches
Ariel Database
Accumulator
Offline Users
Magistrate
Forwarder
Postgress Database
12 IBM Security
Arial Components
Ariel Database
Accumulator
13 IBM Security
Event Pipeline
14 IBM Security
Event Collector Component
Protocol
Throttle Filter
(Licensing)
Coalescing
Event Processor
Event Forwarding
Magistrate
15 IBM Security
Contd..
16 IBM Security
Event Processor Component
Event Collector
Custom Rules Engine
(EC)
(CRE) Correlation
Event Processor
Storage & Indexing in
Ariel
Magistrate
Streaming (real-time
view in the search
Event Correlation Server screen)
17 IBM Security
Contd..
▪ CRE – Applies the correlation rules that were created in the UI.
▪ Storage – Streams the incoming events to ariel data files and indexes on the fly.
▪ Streaming – Responsible for the “real time (streaming)” view in the event viewers.
18 IBM Security
Magistrate Component
Event Collector
(EC)
Offense Rules
Event Processor
(EP)
Offense Management
Magistrate
Offense Storage
Magistrate – Responsible for correlating offenses with event notifications from multiple
Event Processor (EP) components. Only the Console will have a Magistrate component.
19 IBM Security
Contd..
▪ Offense rules - Monitors and takes actions on offenses, such as generating email
notifications.
▪ Offense management - Updates active offenses, transitioning inactive offenses to active
and provides access to offense information to the user through the Offenses tab.
▪ Offense storage - Writes offense data to a Postgres database.
20 IBM Security
QRadar Dashboard
▪ The Dashboard tab is the default view when you log in.
▪ It provides a workspace environment that supports multiple dashboards on which you
can display your views of network security, activity, or data that is collected.
▪ You can customize your dashboards to display and organize the dashboards items that
meet your network security requirements.
▪ The content that is displayed on the Dashboard tab is user-specific.
▪ 255 dashboards per user is the maximum; however, performance issues might occur if
you create more than 10 dashboards.
▪ Move and position items to meet your requirements. When you position items, each item
automatically resizes in proportion to the dashboard.
21 IBM Security
Demonstration of the QRadar Dashboard
22 IBM Security
Custom Rule Engine (CRE) - Rules Vs Building Blocks
Building blocks
▪ Just like rules – except no actions or responses
▪ Only executed if there is another rule or building block that depends on it
Rules
▪ Actions and responses
▪ The rule reader examines the rules, figures out dependencies, and orders the rule
execution accordingly.
23 IBM Security
Global versus Local Rules
Local Rule
It evaluates the rule tests against the local appliance to trigger the rule. This is the default
action.
Global Rule
It means that the CRE on the Console tracks the event matches as provided by each
managed host in the deployment. As partial matches are made or counters need to be
updated, each managed host sends an update to the CRE on the Console. When the
overall rule becomes true, the Console triggers the rule response.
Be mindful of bandwidth and load on the console!
24 IBM Security
Offenses – How does the CRE fits in ?
CRE
▪ Analyses incoming data and picks out the bad bits based on the rules provided.
▪ Anything flagged as bad (“contribute to offense”) to be sent to magistrate
Magistrate
▪ Takes all of the “evidence” and creates offenses – or cases based on it.
25 IBM Security
Investigating an offense
▪ Relevance : It determines the impact of the offense on your network. For example, if
a port is open, the relevance is high.
▪ Severity : It indicates the level of threat that a source poses in relation to how
prepared the destination is for the attack.
26 IBM Security
Contd..
27 IBM Security
Acting on an Offense
28 IBM Security
Asset Profiles
29 IBM Security
Contd..
Asset information is used throughout QRadar SIEM. For example, if a source attempts to
attack a specific service running on a specific asset, QRadar SIEM can determine if the
asset is vulnerable to this attack by correlating the attack to the asset profile.
30 IBM Security
Reports
31 IBM Security
User Interface – Admin Tab
32 IBM Security
High Availability (HA)
▪ QRadar’s HA feature allows you to build redundancy into your deployment to defend
against hardware failure. When deploying HA you create a HA Cluster consisting of a
primary and secondary node, ideally the hardware will be identical.
▪ Failover takes 3-10 minutes depending on the hardware class and function in the
deployment.
▪ Consoles take the longest to fail over since there are more services to restart.
▪ A VIP ( Virtual IP ) is shared between the two nodes in the cluster, when a failover is
detected the surviving appliance assumes control of the VIP.
33 IBM Security
HA - DRBD
The Nodes are synced together using a combination of DRBD for Ariel and Postgres data
and rsync for configuration files. By using DRBD for Ariel we ensure data integrity within the
cluster.
34 IBM Security
HA – Network Latency
• The connection between the primary and secondary HA host has a minimum bandwidth
of 1 gigabits per second (Gbps).
• The latency between the primary and secondary HA host is less than 2 milliseconds
(ms).
• Latency on Fiber not including switches/etc is 0.82 milliseconds per 160km, this means
when attempting to stretch HA over a WAN is extremely difficult to meet the latency and
bandwidth requirements.
• Every QRadar appliance ships with two 10 Gbps ports, if possible one of these should be
used for a crossover link between the primary and secondary node. This offers a number
of advantages including:
- Increase resiliency to network switch failure ( cable and network card become only
points of failure )
- Increase sync speed, without the crossover cable all disk replication happens over the
management interface which is often only 1Gbps
35 IBM Security
Questions
36 IBM Security
THANK YOU
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informati onal purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.