qradar user group - ibm
TRANSCRIPT
QRadar User GroupDISCUSSION OF QRADAR USE CASES, STRATEGIES & BEST PRACTICES
Eric Curley- Cybersecurity Technical Leader
North America Security - Intelligence & Threat
+1-631-235-9256 | [email protected]
2 IBM Security
Agenda
• Client Introductions
• Roadmap
• Break
• Discussion Topics
• Additional Training Materials available
3 IBM Security
Introductions
• Name
• Company
• Deployment Info (# boxes, EPS, Flows, etc.)
• What are you using Qradar for?
• What you want from this group
Collaboration
• Slack, App Exchange, a Blog or whatever you
are comfortable with. We can create a User
Group for you as well…Any Volunteers?
Client Presentation
5 IBM Security
Discussion Topics
• Roadmap (Updated UI, Community Edition, etc.)
• Use Cases (Insider Threats, Lateral Movement, etc.)
• Windows Log Collection Strategies
• Network Flow Instrumentation Strategies
• Data Source Prioritization, Strategies
• Log source management - avoid blind spots
• Tuning (SIEM, Offense, UBA) Strategies
• Cloud Instrumentation Strategies (On Cloud, From Cloud,
SaaS, etc.)
• Architecture Strategies & Recommendations
• Resilience (HA/DR) Strategies & Recommendations
• MSSP Experiences & Strategies
• Threat Hunting Use Cases & Recommendations
• Support & Training
Discussion Topics
7 IBM Security
Roadmap
• Updated UI
• Community Edition
• Etc.
8 IBM Security
How do you use QRadar to address…
• Insider Threat▪ Auth/Access, User Actions, Behavioral…
• Lateral Movement▪ L2L High Category Events, User ID access over multiple internal
systems
• Data Exfiltration▪ access privileges/privilege escalation, high-value data (L2R)
• IOC Detection• Threat feeds, Files (names/hashes/sizes), patterns etc.
• Extra use cases
9 IBM Security
Windows Log Collection Strategies
• Agentless• WMI• MSRPC• WEF
• Sends to WinCollect via SMB-ask your windows GPO guy to setup…• https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-
assist-in-instrusion-detection
• Agents• NXLog• SyslogNG• Snare• WinCollect
• Hub and Spoke• Windows Event Forwarding (WEF) Server• Unmanaged
• Enhanced Logging Technologies• Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
10 IBM Security
Network Flow Instrumentation Strategies
• Network Flow Types• NetFlow, S-Flow, J-Flow, Packeteer, IPFix, etc
• Who is there, and who are they talking to
• Q-Flow• Adds what language they are speaking
• QNI• Adds what key words they are saying
• Network Instrumentation Types• NetFlow, S-Flow, J-Flow, Packeteer, IPFix, etc
• Generally sent from existing network infrastructure
• Can be generated from free/low cost probes
• Q-Flow Probe, QNI Probe, QIF Probe• Requires raw packets – using network infrastructure to copy data
• Switch Port Analyzer (SPAN) is common Cisco term, but least
reliable (oversubscription)
11 IBM Security
Data Source Prioritization Strategies
• How do you prioritize data types for QRadar:• Logs
• Flows
• Vulnerability Scan Results
• Threat Intelligence Feeds
• Does categorizing the data fields help• Access (Layer 3-4)
• Authentication (layer 4-7)
• Threat (IOC) (Layer 7)
12 IBM Security
Log Source Management Strategies
• How do you makes sure you don’t have “blind spots”?• Integration with CMDB solutions
• Integration with CCM solutions
• Assets (do you utilize them and are they tuned properly)
• How are you dealing with virtual/cloud sources that
change constantly?• Scripting log source grouping
• Utilizing agents on images, with automatic log source discovery
13 IBM Security
SIEM Tuning Strategies
• How many offenses per day/week are you dealing with?
• How you determine what needs to be tuned?• SIEM “Custom Rule Engine” Report
• How do you go about tuning?• Environment Definition (Network Hierarchy, Building Blocks,
etc.)
• Rule Modification (Tests, Variables, Responses)
• False Positive Button?!?
• How do you maintain your “tuned” environment• Daily, Weekly reviews, etc?
• Further tuning material
14 IBM Security
Cloud Instrumentation Strategies
• Cloud Solution Logging Strategies• Logging from AWS, Azure, SFDC, Google, O365, etc.
• Cloud Instrumentation Strategies• Installing QRadar components in IaaS solutions (AWS, Azure,
etc.)
• Cloud Installation Strategies• Hosting your QRadar deployment in IaaS Solutions
• SaaS Deployments (QROC)?• Strategies, experiences & recommendations
15 IBM Security
Architecture Strategies & Performance Considerations
• Do you use Event Collectors to:• Compress
• Encrypt
• Schedule
• Store and Forward
• Throttle
• Do you have processors in remote locations• WAN Impact?
• Search Performance Impact?
• App Exchange & App Nodes
• Do you do flow collection from remote locations?• WAN Impact?
16 IBM Security
Resilience Strategies & Considerations
• Do you use HA?• HA Everything, or only Collectors, Processors, DataNodes, etc
• Do you use DR?• What “Tier” does QRadar fit into?
• Tier 1 – immediate fail-over
• Tier 2 – 2 Hour Failover
• Tier 3 – 24 Hour Failover
• Tier 4 – 7 Day Failover
• Etc.
• What mechanism do you use to replicate data?• Forwarding, duplication, Load Balancers, copying data files, etc.
17 IBM Security
MSSP Experiences & Recommendations
• Have you had an MSSP manage QRadar for you?• Experiences, Recommendations & Thoughts
• Are you thinking about hiring a firm for this service?• What access to your network will they have?
• Will they just “read the offense” to you?
• Will they be able to triage with other teams in your
environment?
18 IBM Security
Threat Hunting Use Cases & Strategies
• Do you use QRadar for Threat Hunting?• Traditional searching methods
• AQL searching and/or API?
• Are you Correlating structured data (information stored
in databases) w/ unstructured data (from files,
textbooks, websites, blogs, social media, collaborative
forums etc.)?
• Monitoring modes of Communication and chatter
(Darkweb/semi-private channels; public forums, such as
common social media outlets)?
• What other tool(s) do you use?• i.e. i2, SaaS, Advisor w/ Watson etc. What Else?
19 IBM Security
Support
• Highlights and “Call to Action”
Staff added, trained and working now (40% increase to 140 members)
Backlog Ticket Volume decreasing by 2-5% drop in backlog tickets weekly since May (customer should start seeing visible improvements by the end of June)
Dev increased by 25% for L3 support and ITEAM (DSM Dev)
• Support Upgrade Checklist: https://www-01.ibm.com/support/docview.wss?uid=swg21985226
• Upgrade Guide: https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/b_qradar_upgrade.pdf?view=kc
Raising an Escalation (Contact your local CTP and Sales executive if you feel you need a ticket escalated):
• When submitting an escalation, please include the following:
Customer name
Case number(s)
Customer contact name
Customer contact email/phone
Brief summary of the situation
Anything else that may be relevant (i.e., doing an upgrade, new client, part of an MSSP engagement, upcoming revenue opp or other relevant technical matters)
20 IBM Security
Public Product Support-
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qrada
r.doc/qradar_IC_welcome.html
SHARED UNDER NDA
21 IBM Security
Forum for quick support questions- http://ibm.biz/QRSupportForum
22 IBM Security
IBM Security Learning Academy
www.SecurityLearningAcademy.com
Learning Videos ● Hands-on Labs ● Live Events
Learning at
no cost!
New content
published daily!
IBM Security Learning Academy
23 IBM Security
Other Training options…
• Free Resources
IBM Security Learning Academy
Online Training/Badges: www.ibm.com/services/learning
Instructional videos available on Youtube by IBMer Jose Bravo: https://ibm.box.com/s/ich0yyiw54y0ek6s9a66xvtjku8e42rc
• PSS based Training
Custom Enablement Workshops
Hands-on Mentoring
• Business Partner led
Q&A-Wrap up
Thank You
26 IBM Security
User ID Tracking and Lateral Movement
• Cutting through the noise
device to device movement (L2L High Category Events, User ID access over multiple internal systems)
access privileges/privilege escalation (Security and IOC Threat Sources; monitor for Privilege escalation and suspicious activity Offense)
high-value data (Access to keep DB's or Data Sensitive File Systems)
• Taking the defensive high ground
attacking node and a target (scan for vulnerable hosts to exploit) (Scan and assets with multiple vulnerabilities)
pivot between compromised hosts (Look at Host Based/Malware Threat Source or identified Malware, Exploit and DDosalerted systems and view other Log and Network activity associated with them)
internal reconnaissance and passing payloads (Scan with high traffic bytes or payload associated)
• The Human Element
remote desktop tools and remote administration tools (RATs)
behavioral nature of their traffic (show Behavior and Threshold rules)
external person controlling an internal (R2L to one Asset; Asset affected send file transfer L2R)
impersonating a valid user
When credentials are abused or abnormally used. (multiple privilege accesses to multiple hosts or by one host in small period of time or over time)
SHARED UNDER NDA
27 IBM Security
Credential Scrapers and Phishing
correlation between the IIS, for traffic volume/characteristics, and some back-end server logs, for
hard stats on login attempts/successes/failures and impacted accounts
find out the IP address of the IIS servers and look at traffic levels; Security and IOC Threat feeds/
And Email that triggered Notification around this
Tying malware alert to a specific 4688 (new process creation) log
Find the origination of that process (i.e. executable downloaded from either outlook or a particular
URL)
Find other potentially affected hosts that haven’t alerted yet
When a flow or an event matches ay of the following BB:HostDefinition:Mail Servers;
BB:HostReference:Mail Servers AND Any of the Source IP's are contained in Any of Phishing
Senders-IP Reference Set
Instant Messaging (Flows)
Trojan Hosts, Malware BotNet, DDos activity (IPS, Flows and IP Reputation)
System Reconfiguration (local Windows and DC logs)
Data Ex-filtration (Process monitoring with Windows logs and Data/File Transfer with Flows) R2L
traffic patterns.
SHARED UNDER NDA
Rules, Correlations, Offenses & TuningBEST PRACTICES FOR TUNING AND MAINTAINING AN OPTIMAL SET OF SECURITY
INTELLIGENCE SOLUTION RULES
Eric Curley- Cybersecurity Technical Leader
North America Security - Intelligence & Threat
+1-631-235-9256 | [email protected]
29 IBM Security
Agenda
• Data Sources• Prime Data Sources
• Terminology• Events, Alerts & Offenses
• Where to Start• Tuning Report
• Tuning1. Environment
• Building Blocks, Reference Sets & Network Hierarchy
2. Rules• Tests, Variables, Thresholds & Reponses
3. False Positive• ONLY for False Positives
• Maintenance Best Practices
Data Sources
31 IBM Security
Data Sources
• Access
• Authentication
• Threat
Terminology
33 IBM Security
Terminology
• Events
• Alerts
• Offenses
Where to Start
35 IBM Security
Not Here!
36 IBM Security
SIEM Tuning Report
37 IBM Security
SIEM Tuning Report – Save it
38 IBM Security
SIEM Tuning Report Results – Where are the ”False Positives”?
Tuning
40 IBM Security
The Three-Step Process
1. Define Your Environment
2. Modify the Rules
3. False Positive
41 IBM Security
1 - Environment
1. Network Hierarchy
2. Host Definition Building Blocks
3. Reference Sets
42 IBM Security
1 - Environment
43 IBM Security
1 – Environment – Define it
44 IBM Security
2 - Rules
45 IBM Security
The Shortcut
46 IBM Security
2 – Rules – Tests & Thresholds
• Only to a specific country
• Only from a critical network
• Source bytes greater than 2M
• 30 minutes instead of 12
Create a note about it
2 – Rules - Responses
48 IBM Security
3 – False Positive – ONLY when it’s NOT TRUE!
49 IBM Security
Schedule Reviews
50 IBM Security
Tune the Top – Enable Offenses for the Bottom
Asset Profiling
52 IBM Security
Filtering Unwanted Assets (either passive or via CMDB….maybe Maximo)
Craft a search like this:
Investigate what Log Source is creating this activity. If this is valid Identity traffic you want to keep then
we can filter the log source out.
Save it as a real time saved search:
• VPN log sources• Users logging in remotely • Custom Apps/
UDSM's
53 IBM Security
Once you have the exclude in run /opt/qradar/support/cleanAssetModel.sh and it will clear your asset tables ( all of them ) and let them rebuild fresh
Does the customer have any Custom Apps/ UDSM's that have been implemented into QRadar? If so you need to go into the LSX settings that were imported into QRadar and change the following line from send-identity=OverrideAndAlwaysSend to send-identity="OverrideAndNeverSend
54 IBM Security
Threat Hunting Methodology
Threat hunting typically involves five steps:
• Planning: Identify critical assets.
• Detection: Search for known and unknown threats.
• Responding: Manage and contain attacks.
• Measuring: Gauge the impact of the attack and the success of your security.
• Preventing: Be proactive and stay prepared for the next threat.
When building a threat hunting program, security leaders should focus on four metrics:
• Length of connections;
• Amount of data being transferred;
• Failed and successful access attempts; and
• Number of dropped packets at the firewall.
55 IBM Security
Deploying HA
HA overview:
• In an HA deployment, you install and configure a second appliance that takes over the role of the device, if the primary appliance fails in one of the following scenarios: A power supply failure
A network failure that is detected by network connectivity tests
An operating system malfunction that delays or stops the heartbeat ping tests
A complete RAID failure on the primary HA host
A manual failover
A management interface failure on the primary HA host
• While you can maintain the link between the primary and secondary host over your LAN, the data synchronization is much faster if you connect the HA appliances with crossover cables. For best performance, use 10 Gbps interfaces for the crossover cables.
• Before you add an appliance to a high-availablity (HA) cluster, you must confirm that the combined size of the /store and /transient partitions on the secondary HA host is the same size or larger than the /store partition on the primary HA host.
• A new appliance with IBM Security QRadar V7.3.0 and later installed has a different /store partition size than a host that is upgraded to V7.3.0.
• To add a QRadar V7.3.0 appliance to an HA cluster that was upgraded to V7.3.0 GA, you must first flatten the appliance and upgrade from QRadar V7.2.8. (You do not have to flatten an appliance that was upgraded to V7.3.0 Patch 1, or later).
56 IBM Security
Real-time data synchronization
• When you configure an HA cluster, the /store file system on the primary HA host is automatically
synchronized with the /store partition on the secondary HA host by using DRBD.
• If the primary HA host fails over, the /store file system on the secondary HA host is automatically
mounted to its local disk, where it continues to read from and write to the data received by the primary
HA host before the failover.
• After synchronization is complete, the secondary HA host assumes a status of standby.
• Depending on the size of the primary /store partition and performance, disk synchronization can take
an extended time period. Ensure that the connection between the primary and secondary HA host has
a minimum bandwidth of 1 Gbps.
57 IBM Security
Post-failover data synchronization
• Data that is collected by a primary high-availability (HA) host, up to the point of failover, is maintained
virtually, in real time, by the secondary HA host.
• When the primary HA host is restored after a failure, only the data that is collected by the secondary
HA host in the intervening period is synchronized with the primary HA host. Therefore, post-failover
disk synchronization is faster than initial disk synchronization, unless the disk on the primary HA host
was replaced or reformatted when the host was manually repaired.
• When restored from a failover, the status of the primary HA host becomes offline. You must set the
primary HA host to an online state, and set the secondary host to an offline state, before it can
become the active host. Disk replication with the secondary HA host is enabled while the primary HA
host remains offline.
58 IBM Security
Appliance requirements
• /Store partition requirements The file system of the /store partition must match between your primary and secondary host.
• Example: If the /store partition on the primary uses ext3 as the file system, then your secondary must also use ext3 for /store. A mismatch of the file system for the /store partition is not allowed.
The combined size of the /store and /transient partitions on the secondary host must be equal to or larger than the /store partition on the primary host.
• For example, do not pair a primary host that uses a 3 TB /store partition to a secondary host that has a 2 TB /store partition.
• Storage requirements Follow these storage requirements when you replace an appliance
• Ensure that the replacement appliance includes storage capacity that is equal to or greater than the original hardware you replace, and be at least 130 gigabytes (GB).
• Secondary replacement appliances can have larger storage capacity than the primary appliance. If so, partitions on the secondary are resized to match the storage capacity on the primary appliance when you configure the HA pair.
• Primary replacement appliances can have larger storage capacity than the secondary appliance. If so, partitions on the primary are resized to match the storage capacity on the secondary appliance when you configure the HA pair.
• If you replace both primary and secondary appliances, then the system resizes the storage partition that is based on the appliance with the smallest capacity.
59 IBM Security
Appliance requirements cont.
• Managed interfaces
The primary host should not contain more physical interfaces than the secondary.
If there is a failover, the network configuration of the primary is replicated to the secondary host. If the primary is
configured with more interfaces, any additional interfaces cannot be replicated to the secondary during a failover.
The secondary host must use the same management interface as the primary HA host. If the primary HA host uses
ens192, for example, as the management interface, the secondary HA host must also use ens192.
The management interface supports one cluster virtual IP address.
TCP port 7789 must be open and allow communication between the primary and secondary for Distributed
Replicated Block Device (DRBD) traffic. DRBD traffic is responsible for disk replication and is bidirectional between
the primary and secondary host.
You must ensure the QRadar software version is identical between the primary and secondary host before you
pair a primary to a secondary appliance for the first time.
• If the QRadar version between your primary and secondary differ, you must patch either the primary or secondary
appliance to ensure both appliances use the same software version.
• After the primary and secondary appliances are paired together, disk replication ensures that any additional
software updates are also applied to the secondary.
• Ensure that the secondary host has a valid HA activation key.
60 IBM Security
IP addressing and subnets
• To configure high-availability (HA), you must consider the subnet that is used by the secondary HA
host and the virtual IP address.
• Administrators must ensure that the following conditions are met:
The secondary host is in the same subnet as the primary host.
When the IP address of the primary host is reassigned as a cluster virtual IP, the new IP address that you assign
must be in the same subnet.
The secondary HA host that you want to add to the HA cluster is not a component in another HA cluster.
Link bandwidth and latency
• To configure high-availability (HA), you must consider the bandwidth and latency between the primary
and secondary HA hosts.
• If your HA cluster is using disk synchronization, the following conditions must be met:
The connection between the primary and secondary HA host has a minimum bandwidth of 1 gigabits per second
(Gbps).
The latency between the primary and secondary HA host is less than 2 milliseconds (ms).
61 IBM Security
Data backup requirements
• There are items to consider for data backup before you configure hosts for High-availability (HA).
• If a backup archive originates on an HA cluster, click Deploy Full Configuration to restore the HA
cluster configuration after the restore is complete. If disk replication is enabled, the secondary HA host
immediately synchronizes data after the system is restored.
• If the secondary HA host is removed from the deployment after a backup is completed, the secondary
HA host displays a Failed status on the System and License Management window.
For more information reference the High Availability Guide
IBM & BP INTERNAL USE ONLY62 IBM Security
The Offering: SIEM Capabilities of QRadar Delivered as a Service
Threat Indicators
Extensive data sources
Data Gateway
QRadar SIEM Value Proposition
• Real time and historical correlation of
assets, events, and vulnerabilities
• Advanced threat detection
• Configurable SOC and management
dashboards
• Supports integrations of 450+ security and
IT solutions
• Rapid time to value
Service Highlights
• High Availability standard
• X-Force Threat Feed Integration
• No Log Source limitations
• No Appliance based Licensing
• 24/7 Health Monitoring
• System Management: upgrades, patches
• Supports Temporary EPS upgrades
Application activity
Configuration information
Data activity
Network and virtual activity Security devices
Servers and mainframes
Users and identities
Vulnerabilities and threats