IBM Security QRadar SIEM Foundation

IBM Training
 Describe how QRadar collects data to detect suspicious activities

Course Objective Describe the QRadar architecture and data flows

Navigate the user interface

Define log sources, protocols, and event details

Discover how QRadar collects and analyzes network flow information

Describe the QRadar Custom Rule Engine (CRE)

Use the Use Case Manager app

Discover and manage asset information

Learn about various QRadar apps, content extensions, and the App

Framework

Analyze offenses by using the QRadar UI and the Analyst Workflow app

Search, filter, group, and analyze security data

Use AQL for advanced searches

Use QRadar to create customized reports

Explore aggregated data management

Define sophisticated reporting using Pulse Dashboards

Discover QRadar administrative tasks

IBM Security
 Discuss challenges of cybersecurity as data use evolves

Objective Explain how QRadar addresses these challenges

Learn how QRadar integrates with your enterprise security

architecture and

how you can adapt QRadar to your needs

Describe the various ways to deploy QRadar

IBM Security
Digital transformation is accelerating

Applications Data Infrastructure

Modular, containerized, Shared resource for Distributed across
and shifting to SaaS advanced analytics hybrid multi-cloud
and AI environments
We have
enough of alerts are not investigated

data, but not legitimate alerts are not remediated

enough
insights say “keeping up with alerts” is top concern
IBM Security 5
Traditional security can’t keep pace

Too much Too many Too much Too many

to do vendors complexity alerts
• Meet with CIO and stakeholders
• Nail down third-party risk
• Manage GDPR program with privacy office
• Respond to questions from state auditors
• Update CEO for board meeting
• Update budget projections
• Write security language for vendor's contract
• Make progress on the never-ending identity project
• Review and updated project list
• Edit communication calendar
• Update risk rankings on security roadmap
• Clarify policies governing external storage devices
• Provide testing and encryption tool direction
• Provide data handling best practices
• Help with new acquisition

Too many silos

•
•
•
Meet with senior project manager
Send new best practices to development teams
Review logs for fraud ongoing investigation
• Help with insider threat discovery
• Identity
Determine location of sensitive data in the cloud
• and Access
Investigate possible infection on legacy system Data Application Network Endpoint
• Continue pen testing of new business mobile app
•
Management
Help architects understand zero-trust
Security Security Security Security
• Answer security policy emails
• Format security status report for executives
• Meet with recruiter to discuss staffing
• Write test plan requirements for new products
• Meet regarding improving security of facilities
 Threat Detection using QRadar

Identify Can carter newly

known and evolving threats
unknown
threats

Automatically
Real time link multiple
detection malicious
behaviors

“IBM QRadar improves the speed and effectiveness of detecting threats by nearly 95%.”
Forrester

IBM Security 7
Streamlining
threat detection and response

Eliminate Unify Automate

silos workflows work
Gain visibility across Work without Let machines do the heavy
data sources — from pivoting lifting — whether mundane
the cloud to the core between tools tasks or complex analysis

IBM Security 8
 Traige threat detection
Detect threats in real-time and link
multiple malicious behaviors to an attack

• Real time
detection
• 1000+ security
use cases
• Reduces alerts
into actionable
offenses
• Links malicious
behaviors
4 pillars of effective SIEM
Complete Prioritized Automated Integrated
Visibility Threat Detection Investigations Response

Endpoints
Network activity
Advanced Threats
Data activity
Insider Threats
Users and identities
Threat intelligence Cloud Risks
Configuration information Incident Response
Vulnerabilities and threats
Compliance
Application activity
Cloud platforms
The four pillars of an effective SIEM

Prioritized Automated Integrated

Complete
Threat Detection Investigations Response
Visibility

• Normalization • MITRE ATT&CK® • AI • Dynamic playbooks

• Categorization framework support • Data mining • Automation
• Enrichment • Advanced modeling • Supervised learning • Orchestration
• Network, endpoint, • Behavior chaining • Unstructured data • Privacy breach
cloud, user and • Global threat analysis reporting
application intelligence sources • Federated search
 Before
Before, during, and Predict and Prioritize Vulnerabilities
after an attack
During
Deep analytics to identify active threats

After
Provide information to help automate a
response to the attack

IBM Security
QRadar and Our Environment

IBM Security
QRadar App Store and App Host
ABOVE THE SIEM
Incident Response
User and Entity Behavior
Etc.

SIEM LAYER
IBM QRadar Security Intelligence
Event Correlation and Log Management

BELOW THE SIEM

New Security Operations Tools

XX05, XX29, and XX48 Appliances can be deployed as App Host

Allows customers to run Apps without consuming processing power from the console.
• Fully supported Managed Host, both hardware and software are supported
• Software node is all that is required for installing on virtual / cloud / 3rd party hardware
• HA Available

IBM Security
IBM Security App Exchange

IBM Security
QRadar Architecture

IBM Security
 Describe the deployment architecture

Objective Explore the component overview and resilience

Explain the licensing model

Examine the component architecture

Dissect a captured event

IBM Security
 IBM Security QRadar

SOLVE DETECT DETECT SECURE PROTECT EFFECTIVELY PRIORITIZE

SECURITY ADVANCED INSIDER CLOUD CRITICAL RESPOND TO AND MANAGE
PROVE
COMPLIANCE
CHALLENGES THREATS THREATS RESROUCES DATA INCIDENTS RISKS

IBM Security
RESPONSE App Exchange
HUNT THREATS, RESPOND FASTER AND CONTINUOUSLY IMPROVE

Seamless
DETECTION & integration and
INVESTIGATION content to
APPLY M/L, AI AND ADVANCED ANALYTICS TO DETECT, CONNECT, PRIORITIZE AND INVESTIGATE
augment
THREATS platform.

VISIBILITY
COLLECT DATA ACROSS THE ENTIRE ENVIRONMENT

DEPLOYMENT
MODELS
ON PREM AS A SERVICE CLOUD HYBRID
HW, SW, VM SaaS, Managed Service AWS, Azure, Google Cloud On-prem, SaaS, IaaS
1
8

IBM Security / © 2020 IBM Corporation 18

 On-premises
Deployments

Cloud

Hybrid

IBM Security
QRadar – Deployed on premises
IBM Security IBM Security
X-Force Exchange App Exchange QRadar can be deployed on premises

• Hardware appliances

• Virtual Appliances

Extensions, APPs • Software (installed on customer hardware)

Threat Indicator
Deployed in a single or multiple

geographical areas

Collect data from anywhere

Security devices Network Activity Vulnerabilities & threats
Servers User Activity Users and identities
Application Activity

IBM Security
Explore the component
overview and resilience

IBM Security
QRadar product shorthand terms
Core QRadar hosts are mostly identified by a 4-digit code that can be decoded as such :

3129

XX 31XX XX29 XX
Software Role/Type Hardware Designation
Software Role/Type Codes: Hardware Codes:
•31 = All-In-1 or Console (Base Offering) • XX05 = Lenovo® x3550 M5 BD, 64GB RAM, 6.2TB storage
•16 = Event Processor • XX29 = Based on x3650 M5 BD, 128GB RAM, 48TB
•17 = Flow Processor storage
•18 = Combined Event/Flow Processor
• XX29-C* = Dell PowerEdge R740xd XL, 128GB RAM,
•19 = Network Insights
•15 = Event Collector 48TB storage
•12 = Qflow Collector (Copper NIC) • XX48 = Lenovo® x3650 M5 BD, 128GB RAM, 12TB
•13 = Qflow Collector (Fiber NIC) storage
•14 = Data Node • XX48-C = Dell PowerEdge R640 XL, 128GB RAM, 12TB
•60 = Vulnerability Manager storage
•70 = Risk Manager • XX01/02* = 1Gbps / 3Gbps (Qflow & QNI Only)
• XX10* = 10Gbps (Qflow & QNI Only)
IBM Security
• XX20 = Network Insights (QNI) High Performance
We can start with an All--in—One

solution, and add appliances to expand

3129 All-in-One
3129 All-In-One
deployment

We can use a single appliance to serve as the base for the UI,
3129 Console
which also performs all event and flow collection, processing,

correlation, searches, reports, and other tasks

1629 Event Processor
Individual appliances with unique capabilities can be used to
1629 Event 3129
1429 Data Console
Node 1729 Flow
distribute the required processing power
Processor Processor

IBM Security
QRadar On Prem - Distributed
This is the most common

deployment configuration

for QRadar, where the

console and any processors

are located on the customer

prem. Many customers are

also forwarding event

information from their cloud

providers to their on prem

QRadar.
IBM Security
QRadar Licensing Model

IBM Security
QRadar Licensing Metrics

EPS FPM

Enterprise Based License

IBM Security
Role Based Licensing

QRadar Event Processor QRadar All-In-One QRadar Flow Collector

IBM Security
EPS and FPM Burst Handling
Overflow buffer

10

EVENTS FLOWS

OVERFLOW BUFFER

IBM Security
Examine the component
architecture
High-level architecture
Flow collector (FC)
Event collector (EC)
Event processor (EP)
Console

IBM Security
High-level component architecture and data stores
Flow and event data is stored in the Ariel database on
the event Processors
PostgreSQL • If accumulation is required, accumulated data is
Identities, Assets stored in Ariel accumulation data tables
Offenses • As soon as data is stored, it cannot be changed
Configuration (tamper proof)
• Data can be selectively indexed
• Ariel data storage can be extended by using Data
Data Node Console Service
Nodes
User Interface
Magistrate Offenses, assets, and identity information are stored
Reporting in the master PostgreSQL database on the Console
• Provides one master database with copies on each
Ariel Event/Flow
Flows, events processor(s) processor for backup and automatic restore
Accumulations Apps are hosted either on the Console or a dedicated
App Host
Flow collector
Event collector Secure SSH communication between appliances in a
QRadar Network Insights
distributed environment is supported
Network Packet Events from log
Interface, netflow, jflow, sources
IBM Security sflow, & 3rd party flow
 Event Collector Architecture Event Processor

Coalescing filter

• Each event collector gathers events from local and remote Device Support Module(DSM)
sources Parser Threads

• EPS license is checked DSM Normalization

• Log Sources are automatically discovered after record
Traffic Analysis
analysis in the Traffic Analysis module (log source detection)
• The event collector normalizes events and classifies them
into low- and high-level categories
Overflow filter
(enforce license limit)

Raw date packets received

Event collector

Log Source
 Flow Collector Architecture Flow Processor

• A flow is a record of a conversation between two devices on Flow reporting and routing - Create
a network superflows

• Flow data packets are collected from a variety of network

device vendors and directly from the network interface
Application Detection
• Collected flow data can update asset profiles with the ports Module (appId = eventId)
and services that are running on each host
• If the flow license limit is exceeded, an overflow record is
created with SRC/DST address 127.0.0.4/5 Aggregator
(enforce license limit)
• (Custom) applications are detected
• Superflows are created
• QFlow provides Layer 7 insights into the payload if it Raw data packets received
(NetFlow, sFlow, NIC, and so on)
isunencrypted
QFlow

Flow data Packets

Event processor architecture Anomaly Detection
Engine
New host or
port event Magistrate

• EPS license is checked and enforced

Accumulations Accumulator Host profile Exit filter
• Every single event and flow is tested
against all enabled rules in the rules
engine Event storage filter
Events
• New offenses can be triggered and
sent to the Magistrate (see Console)
Custom Rules Engine (CRE)
• Events are stored in the events Arial
Database
• If a new port or host is detected, an Overflow filter
(enforce license limit)
asset profile is updated or created in
the PostgreSQL database (see Console)
• Events are accumulated every minute Event source received

and stored in the accumulator Ariel

database
Event Collector
 Console architecture Offenses

• The Magistrate creates and stores offenses

in the PostgreSQL database; these
offenses are then brought to the analyst’s
attention in the interface Magistrate

• The Magistrate instructs the Ariel Proxy Assets

Server to gather information about all
events and flows that triggered the
Overflow console
filter Vulnerability Anomaly
creation of an offense Ariel Proxy
(enforce license limit) Information Detection
• The Vulnerability Information Server (VIS) Server
Server Engine
creates new assets or adds open ports to
existing assets based on information from Event sources received
the Eps
Console
• The Anomaly Detection Engine (ADE)
searches the Accumulator databases for
Exit Filter AQL Host Profiler Accumulators
anomalies, which are then used for
offense evaluation Event processor
Dissect a captured event

IBM Security
Recap the architectural 1. Examine how 2. Follow the events
the events arrive at proceed through
components by dissecting their first collection correlation,
a captured events point, the Event accumulation, and
Collector storage on the
Event Processor

3. Understand how the events end up

as part of a larger offense on the
Console

IBM Security
Dissecting the flow of a captured event (Event Collector)

Event Processor
FW events

Overflow filter
(enforce license limit)
Coalescing Filter

Log No Create new

License No log source
Traffic Analysis source
Exceeded
(Log Source Discovery) known
?
?
Yes
Buffer overflow events and Yes
Device Support Module
feed back into stream Device Support Module
when input below limit

DSM Normalization Filter

Event Collector
Dissecting the flow of a captured event (Event Processor)
Streaming to Log Activity tab in real time
Event Collectors
Console
Rule triggered – Console handles Offense

Normalized events

Overflow filter
(enforce license limit) New host or
port found?
Accumulations
No
License
Exceeded Ariel DB
Ariel DB Host Profiler
?
Yes

Buffer overflow events and Rule Processing and

feed back into stream Correlation
when input below limit Event Storage Accumulator
Custom Rule Engine (CRE)

Event Processor
Summary
Elaborating the deployment architecture
Discussion on the component overview and
resilience
Explaining the licensing model
Examine the component architecture
Dissect a captured event

IBM Security
The SOC Analyst challenge
QRadar / SIEM
A large organization
can collect 2 Billion
Events per day

Correlated down to 20 or so
incidents per day that need
manual investigation

To identify an active attack, you Many will be false positives

have to compare:
• What you observe in your
environment
+
• Your knowledge of the threat
landscape Tier 1 Tier 2 Tier 3 Incident
+ Analyst Analyst Analyst Response
IBM Watson
• What you understand
for Cyber Security Security Incident Security Threat Response
about malicious behavior Monitoring Escalation Analysis Hunting Planning

Attack Detection Investigation Response

40
IBM Security / © 2019 IBM Corporation

View in Presentation mode