Data Security Solutions Qradar Latest Features

Artūrs Garmašovs

2016

Riga, Latvia

New Feature OverviewQRadar SIEM/LM 7.2.5 - 7.2.6

• API Updates• Historical Correlation• Overlapping IP Support in SIEM• Support LDAP Authorization• Deployment Actions from System Management• GetLogs in the UI• Enterprise Ready Reporting• Patch Rollback Framework• Factory Re-install, new ‘retain’ option to preserve /store• Miscellaneous Clean Up• Security Updates• Offense (CRE) Count Resets• Password Storage Enhancement

New Features in Qradar 7.2.5

VulnerabilityManager

RiskManager

SIEM

IncidentForensics

• API Updates• Historical Correlation Updates• Multitenancy and Tenant Administration• Super indexes• License enhancements (give back)• Data Obfuscation user interface• Custom rule actions / scripts• New Custom Rule Tests• Deployment Editor• Multiple Email Templates• Log Activity and Network Activity user interface enhancements• Reference Set Updates• Deletion Framework• Security updates• Extensions Management• IBM Security X-Force App Exchange

New Features in Qradar 7.2.6

VulnerabilityManager

RiskManager

SIEM

IncidentForensics

Historical Correlation

Historical correlation brings the power of QRadar’s real-time correlation engine to the historical domain, offering users the ability to replay data through powerful correlations to surfaces new and timely insights.

Historical Correlation targets three main use cases: Correlation of security events on device time rather

than collection time, allowing QRadar to unwind bulk loaded data sets.

Discover previously hidden IOCs, threats and incidents as new threat intelligence becomes available.

Tune new threat detection and security policies against historical data.

Historical Correlation Historical Correlation enables customers to perform rerun past events and flows through

the custom rules engine– Events can be correlated by ‘start time’ or ‘device time’– Flows only correlated by ‘start time’

Historical Correlation is enabled by creating a Historical Correlation Profile– Profiles contain the configuration

parameters that are used for historical correlation

Where?– Offenses > Rules > Actions > Historical Correlation– Log Activity > Actions > Historical Correlation– Network Activity > Actions > Historical Correlation

– Ariel searches only search on Start Time (not device time)

Historical Correlation profiles can be created by selecting Add:– Event Profile

•To create an event historical correlation profile– Flow Profile

•To create a flow historical correlation profile

Using Historical Correlation

Using Historical Correlation – Event Profile

Using Historical Correlation – Event Profile (Continued)Historical Correlation must be configured with the following information:

1. Saved Search - Choose a search from the drop-down of Saved Searches.

2. Rules1.Can choose to run on all rules, or select one or more specific

rules to run2. Can choose to correlate Events by:

• Device Time• Start Time

3. Schedule - Choose to schedule manually or repeat based on an Hourly, Daily, Weekly, or Monthly frequency.

When a Historical Correlation is run, events that meet the included rule(s) create historical correlation offenses, which are identified by the clock icon.

Using Historical Correlation – Viewing Results

Domain Management (Domain Segmentation) allows QRadar administrators to define what data belongs in a domain. Domains can be used to differentiate flow and event data with the same IP address by ‘domain’ as created by the administrator.

Domains’ can also be used in security profiles to segment users are only allowed to see specific data sources within their domain. is it?Admin tab > System Configuration > Domain Management

define a domain?Domain creation can be based on one or more of the following criteria:

– Custom Property Value (RegEx)– Log Source/Log Source Group– Event Collector– Flow Source– Scanners

Overlapping IP Support in SIEM / Domain Management

New Domain – Events by Log Source or Log Source Group

QRadar SEIM offenses are now domain aware:– The domain of the offense will be displayed on the offense list– You can sort on the domain of the offense by clicking on the domain

header The default domain does NOT sort based on alphabetical order, however it willbe displayed at the top or bottom of the sorted list in ascending or descending order

– Domain can be filtered on the offense search screen

Domain Offenses

get_logs.sh is a shell script used to collect logs. End users have to ssh to Console or MH, run the script, and ftp the result file to a client machine and upload it to PMR.

From 7.2.5, end users would be able to kick off a log collection task and download the result file from web browser after receiving a notification on dashboard when the task complete.– Users don't need root access to Console and switch back and forth between

server and client.– Users can stay on UI and continue their work while logs are being collected

which may take as long as a few minutes.

Log Collection UI is available in System and License Management page for admin user.– Only one Log Collection is allowed to run at any time.– You can cancel a running get_logs request from x button in the status bar.– The result file is located under /store/LOGS and get_logs.sh will automatically

clean up files that's older than 90 days.

GetLogs in the UI

Admin tab > System and License Management > Actions > Collect Log Files.

The System and License Management screen status bar informs administrators that log files are being collected:

– Collection can be canceled by clicking the red X– When the collection is finished, a download link will appear

Introducing Multitenancy/ Tenant Management

The concept of Tenant administration (Multi-tenancy) is introduced in 7.2.6. For Managed Service teams: Tenants = Individual Customer

QRadar

Tenant A Tenant B

Multi-tenancy

An administrator must create tenants, then use the Domain Management screen to assign one or more domains to the tenant.

Tenant Capabilities A tenant has one or more domains – allows to support customers who require more

than one domain

A tenant’s EPS or FPM limits can be managed – allows to better manage their license capacities.

Tenant Administration A tenant can manage their own Network Hierarchy – Establishes a foundation to

empower the customer to become more self-sufficient from an administrative standpoint

A tenant can also manage their Centralized Credentials – credentials required for vulnerability scans

A tenant can also view their own log sources

Indexes in QRadar 7.2.5 and below are created based on minute-by-minute data. In QRadar 7.2.6, we introduce the concept of Super indexes.

How it works After upgrading to QRadar 7.2.6, the system still creates minute-by-minute indexes in ariel. At 20 minutes past each hour, the system reads the indexes in to memory and converts the existing index to a super index. These super indexes are a rollup for the previous hour and optimized for performance.

This new index format increases indexed data searches by almost 10x for indicator of compromise (IOC) type searches. Some examples of IOC type searches are searches on IP address, domain and host name. All new data that is received by QRadar is automatically indexed in the new format.

Note: This feature does not apply to the Quick Filter’s Full Payload Indexing, but indexed values in the Index Management interface.

Search Performance – Super Indexes

Data Obfuscation

Data obfuscation offers QRadar administrators the ability to strategically “hide” and restrict visibility to data within their deployment.

Obfuscation occurs within the data records themselves to ensure that the content is never compromised. Data is only reverted to original form for presentation in the UI if the keys are provided by the user

The most common use of data obfuscation is to hide sensitive information such as PII or PHI (social insurance numbers, usernames, credit card numbers, etc)

Data Obfuscation – 3 Easy Steps…

1. Launch Data Obfuscation Management

2. Configure a data obfuscation profile

3. Configure each obfuscation expression

Data Obfuscation – Voila!

Custom Defined Action from a RuleQRadar 7.2.6 introduces the idea of Custom Actions, which allow administrators to pass data to a script based off of a rule response in QRadar. This feature can be used to extend rules from QRadar to outside security devices or systems.

For example, a script that updates firewall rule can block a source IP address in response to a rule that is triggered by a defined number of failed login attempts.

Where?Admin tab > Custom Actions > Define Actions.

Custom Actions are executed in a “jailshell” in order to protect QRadar from possible exploits.

Management Screens allow for easy configuration and validation of custom actions before they are placed into production

Custom Defined Action from a Rule

Custom Action Properties Basic Information

• Name• Description

Script Configuration• Interpreter

– Bash, Perl, Python• Script File

–The actual script you will run

Script Parameters• Fixed Property

–Enter a static Parameter that will be passed to your script• Network Event Property

–A property of a network event (common event and flow properties) can be dynamically passed to your script, this would be pulled from the event or flow that triggered the rule.

Custom Defined Action from a Rule

Custom Defined Action from a RuleCustom Actions can be added as rule responses in the Rule Wizard

Answer:

• Sharing and collaboration of product apps and content

• Use-case driven apps• Visualizations and reports• Rules and responses• Third-party extensions• Automated responses• Best practices

IBM QRadar Security Intelligence Platform

IBM Security App Exchange - Enabling complete cooperative defense

NEW

IBM Security App Exchange

• Address time and skills shortages impacts to your organization

• Be more response to new needs, technologies, and threats with best practice solutions

• Leverage the power and knowledge of the QRadar Community

• Easy to use, fast to consume use cases and visualizations

IBM Security App ExchangeQRadar 7.2.6 introduces the feature for a Security App Exchange.

What is an App?– Small plug-in modules to QRadar.– From within a secure container, App server data from endpoints, injecting content

directly into the standard QRadar User Interface.– Applications are installed as extensions through Extension Management.

Application Framework allows:– Users to install applications from the X-Force App Exchange website.– Users can install custom applications created in house or by IBM/IBM partners/IBM

Professional services. Applications can contain:

– New content, such as Dashboards, customized tabs, and more.– New screens for interacting with QRadar

Applications can be downloaded through the IBM Security App Exchange App Exchange is available through “IBM Security App Exchange” on the Extensions

Management toolbar.

IBM Security App Exchange

Side bar allows you to quick filter.

Sort by:• Apps• Custom Properties• Custom Rule• Dashboard• Reference data• Saved Searches• And more…

Content PacksContent Pack Status Description

IBM Security Anomaly Content

Released These rules focus on anomaly detection • 19 rules and building block

IBM Security Compliance Content

Released These rules and reports focus on general compliance and policy controls• 4 custom event properties • 49 event and flow searches related to monitoring compliance..• 153 reports related to monitoring compliance.• 140 rules and building blocks related to monitoring compliance.• 10 reference data sets related to monitoring server types for

compliance purposes.

IBM Security Intrusion Content

Released These rules focus on detection of intrusions and post-intrusion activity.• 72 rules and building blocks• 1 reference data set for

IBM Security GPG13 Content

Pending Content focused on the Good Practice Guide 13 standard.• 98 rules and building blocks• 31 event and flow searches• 29 reports

Content Packs

Content Pack Status Description

IBM Security Reconnaissance Content

Released Content focused on detection of reconnaissance activity within your enterprise• 104 rules and building blocks• 10 reference sets

IBM Security Threat Content

Released These rules focus on threat indicators and integration with threat intelligence feeds• 114 rules building blocks• 2 custom event properties for identifying URLs, • 10 reference sets,

IBM Security ISO 27001 Content

Released These rules and reports focus on ISO standard for information security management or 27001 compliance and policy controls. • 35 rules and building blocks• 4 event properties• 29 event searches• 77 reports

Contact UsArtūrs Garmašovsagarmasovs@dss.lvMobileRiga, Latviawww.dss.lvLinkedIn: http://ow.ly/FAflzTwitter: http://ow.ly/FAfv0Facebook:http://ow.ly/FAfzZYoutube: http://ow.ly/FAfENSlideShare: http://ow.ly/FAfHd

Think Security FirstThank you