IBM Security Services - Automated Indentification of Threats using QRadar

QRadar SIEM identifies suspected attacks and policy breaches by collecting information from all possible sources. To identify suspected attacks and policy breaches QRadar SIEM collects security relevant data from a wide variety of sources such as firewalls, user directories, proxies, applications and routers. QRadar provides context to the information collected. It enables security analysts to perform investigations from correlated information. This information consists of point in time when the attack or the breach take place, offending users, origins, targets, vulnerabilities, asset information and known threats.

QRadar can provide some key information like:

• What is being attacked?
• What is the security impact? 
• Who's attacking?
• Where should the investigation be focused?
• When are attacks taking place?
• How's the attack penetrating the system?
• Is the suspected attacked or policy breach real or a false alarm?

QRadar has the ability to correlate and securely store raw events, network flows, vulnerabilities, assets and threat intelligence data. It can also capture layer 7 payload, up to a configurable number of bytes, from encrypted traffic. It can monitor host and network behavior changes that could indicate an attack or policy breach such as off hours or excessive usage of an application or network activity patterns inconsistent with the external profiles. You can monitor prioritization of suspected attacks and policy breaches. It can generate reports from many available templates. It provides a scalable architecture to support large deployments and it is managed and viewed from a single user interface.

Normalizing the raw events

QRadar normalizes the varied information found in raw events which are records from a device or devices that describe an action on the network or hosts. Normalizing means to map information to common field names. eg, 

• SRC_IP, source, IP, and others are normalized to Source IP 
• user_name, username, login, and others could be normalized to user 

After raw events are normalized, it's easy to search reports and cross correlate these normalized events.

Event collection and processing

Log sources such as firewalls routers and servers typically send syslog messages, but they can also use other protocols such as logfile, JDBC and others. These messages are first collected by the event collector component. The messages are in RAW format. Event collector component uses the device support modules or DSM's to parse and normalize raw data. Raw log messages will always remain intact. Event collectors do not store raw or normalized data permanently. Event processors receive the normalized events and raw events and then analyze and store them. Analyzing means testing rules against those events. Data nodes provide additional storage for events. These data nodes will need to be associated with an event processor. The magistrate component correlates data from event processors and eventually creates offenses. 

Flow Collection and Processing

QRadar SIEM has the ability to collect and process flows from network devices. A flow is a communication session between two hosts where information such as source and destination IP, source and destination ports, transmitted protocols etc are collected. The Qflow collector reads packets from the wire or receives flows from other devices. Qflow collectors convert all gathered network data to normalized flow record data. Qflow collector is capable of collecting layer 7 flows. 

Reporting

All data collected by QRadar regardless whether it's flows events or even vulnerabilities can then be reported over time. QRadar has over a thousand report templates available and you can also create new templates or change the existing ones.

Asset profiles

An asset profile created for servers and hosts in your network provides important information to assist you in resolving security issues. Using the asset data you can connect the fences triggered in your system to physical or virtual assets to provide a starting point in a security investigation. QRadar provides a unified view of the known information about the assets in your network such as IP addresses, services listening on open ports and vulnerabilities. As it discovers more information the system updates the acid profile and incrementally builds a complete picture about the asset. Asset profiles are built dynamically from identity information that is passively absorbed from event or flow data or from data during a vulnerability scan. You can also import asset data or edit the acid profile manually.

Active scans

Vulnerability assessment profiles use the correlated event data, network activity and behavioral changes to determine the threat level and vulnerabilities present on a critical business asset or any assets in your network. You can schedule scans and also import scan results from third-party scanners and ensure that vulnerability information is relevant for assets in the network. Eg, you can schedule Nessus, NMap and IBM security QRadar vulnerability manager scanner directly. For other scanners, you schedule only the collection of scan results in QRadar SIEM but not the scan itself.

QRadar vulnerability manager scanner

You can add IBM security QRadar vulnerability manager. This product requires a license to run on the SIEM. It contains an active scanner present on all event and flow collectors as well as processors. It can detect over 70,000 vulnerabilities. It processes results from IBM hosted scanner to see a view from outside your firewall. It tracks common vulnerabilities and exposures and also has the ability to process third-party vulnerability data feeds.

Gathering asset information

The two most common methods used to gather asset information are active scanning and passive detection. QRadar uses scanners such as the QRadar vulnerability manager scanner, Nessus, NMap, Qualys and others, that provide a list of hosts with risk and potential vulnerabilities. They also provide IP and MAC addresses as well as open ports, services and versions. It also lists the operating system of the devices. It provides very detailed host information as well as policy and compliance information. Active scanners may not scan past firewalls and also users can hide from active scans by shutting down their systems during the regular scans. Passive detection uses flows from Qflow or other flow sources in accounting technologies such as IPFIX (IP Flow Information Export) Netflow, sFlow (Sampled Flow), and others. They provide IP addresses in use, open ports in use and real-time acid profile updates. Firewalls have no impact here and the end users cannot hide. It also provides policy and compliance information. It's not as detailed as active scans.

QRadar product portfolio

*Ref: Luis Latas - IBM QRadar Foundation