Upload
andris-soroka
View
296
Download
8
Embed Size (px)
Citation preview
Data Security Solutions Qradar Latest Features
Artūrs Garmašovs
2016
Riga, Latvia
New Feature OverviewQRadar SIEM/LM 7.2.5 - 7.2.6
• API Updates• Historical Correlation• Overlapping IP Support in SIEM• Support LDAP Authorization• Deployment Actions from System Management• GetLogs in the UI• Enterprise Ready Reporting• Patch Rollback Framework• Factory Re-install, new ‘retain’ option to preserve /store• Miscellaneous Clean Up• Security Updates• Offense (CRE) Count Resets• Password Storage Enhancement
New Features in Qradar 7.2.5
VulnerabilityManager
RiskManager
SIEM
IncidentForensics
• API Updates• Historical Correlation Updates• Multitenancy and Tenant Administration• Super indexes• License enhancements (give back)• Data Obfuscation user interface• Custom rule actions / scripts• New Custom Rule Tests• Deployment Editor• Multiple Email Templates• Log Activity and Network Activity user interface enhancements• Reference Set Updates• Deletion Framework• Security updates• Extensions Management• IBM Security X-Force App Exchange
New Features in Qradar 7.2.6
VulnerabilityManager
RiskManager
SIEM
IncidentForensics
Historical Correlation
Historical correlation brings the power of QRadar’s real-time correlation engine to the historical domain, offering users the ability to replay data through powerful correlations to surfaces new and timely insights.
Historical Correlation targets three main use cases: Correlation of security events on device time rather
than collection time, allowing QRadar to unwind bulk loaded data sets.
Discover previously hidden IOCs, threats and incidents as new threat intelligence becomes available.
Tune new threat detection and security policies against historical data.
Historical Correlation Historical Correlation enables customers to perform rerun past events and flows through
the custom rules engine– Events can be correlated by ‘start time’ or ‘device time’– Flows only correlated by ‘start time’
Historical Correlation is enabled by creating a Historical Correlation Profile– Profiles contain the configuration
parameters that are used for historical correlation
Where?– Offenses > Rules > Actions > Historical Correlation– Log Activity > Actions > Historical Correlation– Network Activity > Actions > Historical Correlation
– Ariel searches only search on Start Time (not device time)
Historical Correlation profiles can be created by selecting Add:– Event Profile
•To create an event historical correlation profile– Flow Profile
•To create a flow historical correlation profile
Using Historical Correlation
Using Historical Correlation – Event Profile
Using Historical Correlation – Event Profile (Continued)Historical Correlation must be configured with the following information:
1. Saved Search - Choose a search from the drop-down of Saved Searches.
2. Rules1.Can choose to run on all rules, or select one or more specific
rules to run2. Can choose to correlate Events by:
• Device Time• Start Time
3. Schedule - Choose to schedule manually or repeat based on an Hourly, Daily, Weekly, or Monthly frequency.
When a Historical Correlation is run, events that meet the included rule(s) create historical correlation offenses, which are identified by the clock icon.
Using Historical Correlation – Viewing Results
Domain Management (Domain Segmentation) allows QRadar administrators to define what data belongs in a domain. Domains can be used to differentiate flow and event data with the same IP address by ‘domain’ as created by the administrator.
Domains’ can also be used in security profiles to segment users are only allowed to see specific data sources within their domain. is it?Admin tab > System Configuration > Domain Management
define a domain?Domain creation can be based on one or more of the following criteria:
– Custom Property Value (RegEx)– Log Source/Log Source Group– Event Collector– Flow Source– Scanners
Overlapping IP Support in SIEM / Domain Management
New Domain – Events by Log Source or Log Source Group
QRadar SEIM offenses are now domain aware:– The domain of the offense will be displayed on the offense list– You can sort on the domain of the offense by clicking on the domain
header The default domain does NOT sort based on alphabetical order, however it willbe displayed at the top or bottom of the sorted list in ascending or descending order
– Domain can be filtered on the offense search screen
Domain Offenses
get_logs.sh is a shell script used to collect logs. End users have to ssh to Console or MH, run the script, and ftp the result file to a client machine and upload it to PMR.
From 7.2.5, end users would be able to kick off a log collection task and download the result file from web browser after receiving a notification on dashboard when the task complete.– Users don't need root access to Console and switch back and forth between
server and client.– Users can stay on UI and continue their work while logs are being collected
which may take as long as a few minutes.
Log Collection UI is available in System and License Management page for admin user.– Only one Log Collection is allowed to run at any time.– You can cancel a running get_logs request from x button in the status bar.– The result file is located under /store/LOGS and get_logs.sh will automatically
clean up files that's older than 90 days.
GetLogs in the UI
Admin tab > System and License Management > Actions > Collect Log Files.
The System and License Management screen status bar informs administrators that log files are being collected:
– Collection can be canceled by clicking the red X– When the collection is finished, a download link will appear
Introducing Multitenancy/ Tenant Management
The concept of Tenant administration (Multi-tenancy) is introduced in 7.2.6. For Managed Service teams: Tenants = Individual Customer
QRadar
Tenant A Tenant B
Multi-tenancy
An administrator must create tenants, then use the Domain Management screen to assign one or more domains to the tenant.
Tenant Capabilities A tenant has one or more domains – allows to support customers who require more
than one domain
A tenant’s EPS or FPM limits can be managed – allows to better manage their license capacities.
Tenant Administration A tenant can manage their own Network Hierarchy – Establishes a foundation to
empower the customer to become more self-sufficient from an administrative standpoint
A tenant can also manage their Centralized Credentials – credentials required for vulnerability scans
A tenant can also view their own log sources
Indexes in QRadar 7.2.5 and below are created based on minute-by-minute data. In QRadar 7.2.6, we introduce the concept of Super indexes.
How it works After upgrading to QRadar 7.2.6, the system still creates minute-by-minute indexes in ariel. At 20 minutes past each hour, the system reads the indexes in to memory and converts the existing index to a super index. These super indexes are a rollup for the previous hour and optimized for performance.
This new index format increases indexed data searches by almost 10x for indicator of compromise (IOC) type searches. Some examples of IOC type searches are searches on IP address, domain and host name. All new data that is received by QRadar is automatically indexed in the new format.
Note: This feature does not apply to the Quick Filter’s Full Payload Indexing, but indexed values in the Index Management interface.
Search Performance – Super Indexes
Data Obfuscation
Data obfuscation offers QRadar administrators the ability to strategically “hide” and restrict visibility to data within their deployment.
Obfuscation occurs within the data records themselves to ensure that the content is never compromised. Data is only reverted to original form for presentation in the UI if the keys are provided by the user
The most common use of data obfuscation is to hide sensitive information such as PII or PHI (social insurance numbers, usernames, credit card numbers, etc)
Data Obfuscation – 3 Easy Steps…
1. Launch Data Obfuscation Management
2. Configure a data obfuscation profile
3. Configure each obfuscation expression
Data Obfuscation – Voila!
Custom Defined Action from a RuleQRadar 7.2.6 introduces the idea of Custom Actions, which allow administrators to pass data to a script based off of a rule response in QRadar. This feature can be used to extend rules from QRadar to outside security devices or systems.
For example, a script that updates firewall rule can block a source IP address in response to a rule that is triggered by a defined number of failed login attempts.
Where?Admin tab > Custom Actions > Define Actions.
Custom Actions are executed in a “jailshell” in order to protect QRadar from possible exploits.
Management Screens allow for easy configuration and validation of custom actions before they are placed into production
Custom Defined Action from a Rule
Custom Action Properties Basic Information
• Name• Description
Script Configuration• Interpreter
– Bash, Perl, Python• Script File
–The actual script you will run
Script Parameters• Fixed Property
–Enter a static Parameter that will be passed to your script• Network Event Property
–A property of a network event (common event and flow properties) can be dynamically passed to your script, this would be pulled from the event or flow that triggered the rule.
Custom Defined Action from a Rule
Custom Defined Action from a RuleCustom Actions can be added as rule responses in the Rule Wizard
Answer:
• Sharing and collaboration of product apps and content
• Use-case driven apps• Visualizations and reports• Rules and responses• Third-party extensions• Automated responses• Best practices
IBM QRadar Security Intelligence Platform
IBM Security App Exchange - Enabling complete cooperative defense
NEW
IBM Security App Exchange
• Address time and skills shortages impacts to your organization
• Be more response to new needs, technologies, and threats with best practice solutions
• Leverage the power and knowledge of the QRadar Community
• Easy to use, fast to consume use cases and visualizations
IBM Security App ExchangeQRadar 7.2.6 introduces the feature for a Security App Exchange.
What is an App?– Small plug-in modules to QRadar.– From within a secure container, App server data from endpoints, injecting content
directly into the standard QRadar User Interface.– Applications are installed as extensions through Extension Management.
Application Framework allows:– Users to install applications from the X-Force App Exchange website.– Users can install custom applications created in house or by IBM/IBM partners/IBM
Professional services. Applications can contain:
– New content, such as Dashboards, customized tabs, and more.– New screens for interacting with QRadar
Applications can be downloaded through the IBM Security App Exchange App Exchange is available through “IBM Security App Exchange” on the Extensions
Management toolbar.
IBM Security App Exchange
Side bar allows you to quick filter.
Sort by:• Apps• Custom Properties• Custom Rule• Dashboard• Reference data• Saved Searches• And more…
Content PacksContent Pack Status Description
IBM Security Anomaly Content
Released These rules focus on anomaly detection • 19 rules and building block
IBM Security Compliance Content
Released These rules and reports focus on general compliance and policy controls• 4 custom event properties • 49 event and flow searches related to monitoring compliance..• 153 reports related to monitoring compliance.• 140 rules and building blocks related to monitoring compliance.• 10 reference data sets related to monitoring server types for
compliance purposes.
IBM Security Intrusion Content
Released These rules focus on detection of intrusions and post-intrusion activity.• 72 rules and building blocks• 1 reference data set for
IBM Security GPG13 Content
Pending Content focused on the Good Practice Guide 13 standard.• 98 rules and building blocks• 31 event and flow searches• 29 reports
Content Packs
Content Pack Status Description
IBM Security Reconnaissance Content
Released Content focused on detection of reconnaissance activity within your enterprise• 104 rules and building blocks• 10 reference sets
IBM Security Threat Content
Released These rules focus on threat indicators and integration with threat intelligence feeds• 114 rules building blocks• 2 custom event properties for identifying URLs, • 10 reference sets,
IBM Security ISO 27001 Content
Released These rules and reports focus on ISO standard for information security management or 27001 compliance and policy controls. • 35 rules and building blocks• 4 event properties• 29 event searches• 77 reports
Contact UsArtūrs Garmaš[email protected], Latviawww.dss.lvLinkedIn: http://ow.ly/FAflzTwitter: http://ow.ly/FAfv0Facebook:http://ow.ly/FAfzZYoutube: http://ow.ly/FAfENSlideShare: http://ow.ly/FAfHd
Think Security FirstThank you