Blog Series: IT Perspectives by Jaqui Lynch

Exploring QRadar

In my previous blogs, Strategies for Securing Your Business – Part I & II, I talked about some of the new roles in security along with some of the things to think about with respect to security including having a plan and ensuring everyone knows their role should there be an issue around security.

In this blog I will talk about IBM QRadar Security Intelligence Platform, a product suite that addresses issues around threat detection and forensics. The eight main products within the platform take care of log analysis, anomaly detection, incident detection, automated compliance for collection and reporting and vulnerability detection. Combined with BigFix, QRadar can also help with patch management.

IT security can be broken down into the following three components:

  • Prevention – This includes preventive remediation as well as fraud detection.
  • Detection – This involves detecting attacks before they are successful.
  • Response – This includes not just the immediate response such as evidence gathering, but also remediation and compliance required reporting.

Looking at the QRadar products, they can easily fit into these categories as follows:

  • Prevention
    • QRadar Vulnerability Manager
  • Detection
    • QRadar Risk Manager
    • QRadar SIEM
    • QRadar Log Manager
    • QRadar Data Node
    • QRadar QFlow Collector
    • QRadar VFlow Collector
  • Response
    • QRadar Incident Forensics

Prevention

QRadar Vulnerability Manager is designed to find vulnerabilities in the network and applications proactively. Vulnerability Manager keeps track of over 70,000 known default settings and flaws and constantly checks the network and applications to determine if any of those exposures exist in them. It does this using a PCI compliant scanner to search for risks and provides reports that can then be used to determine the best remediation plans, especially the best way to prioritize the tasks necessary for mitigation and remediation. It is integrated with QRadar SIEM and QRadar Risk Manager and comes with QRadar SIEM but requires a separate license key to be applied.

Detection

QRadar SIEM gathers logs from endpoints and applications in the network and performs analytics looking for correlations that could mean there are active threats. The intent is to reduce false positives and to better highlight real threats. It is designed for use in single and multi tenant data centers as well as in cloud environments. It provides a master console that allows you to look at detailed data and also can be used to generate reports to help manage compliance reporting.

QRadar Risk Manager is software that constantly monitors the network looking for network attacks and attempted intrusions. It looks at firewalls as well as switches and routers and then integrates with QRadar SIEM to apply context to ensure that threats are detected early with as few false positives as possible. It also works with QRadar Vulnerability Manager to review application vulnerabilities and then reports status to risk dashboards so that it is easy to visualize network and vulnerability exposures.

QRadar Log Manager collects, analyzes, archives and stores logs from network and security devices, servers, applications and other endpoints. It rapidly captures data then analyzes it using analytics that provide correlation and context to disparate logs. This provides insight much faster into any issues on the network. For many clients the sheer amount of log data on their network and endpoint is overwhelming – Log Manager helps to alleviate that pain and also provides extensive reporting for regulatory compliance and auditing.

QRadar QFlow Collector and QRadar VFlow Collector provide additional layers of visibility into what is happening. QFlow looks at actual network packets on the network and is concerned with finding malware, viruses and unusual behavior patterns for all network traffic. It looks for non-standard ports being used, unencrypted data or passwords and it can also be used to monitor activities on social media platforms to detect potential threats to the network. VFlow provides similar capabilities into the virtual network so that you have visibility into your VMware virtual environments.

Finally, there is the QRadar Data Node Appliance. The appliance comes in hardware, software or virtual forms and is used to store and analyze the log, event and flow data that the other products collect. It lets you extend your current storage capacity and processing power such that you can better meet your collection, analysis and reporting needs.

Response

QRadar Incident Forensics is the last resort. It allows you to retrace what the attacker did and to conduct forensics to determine the impact of the attack. There is also an optional Packet Capture Appliance that can store and manage the data if there is no other packet capture device installed on the network. Alternatively, QRadar Incident Forensics can also work with many of the current packet capture alternatives that may be installed. The appliance can be a hardware, software or virtual appliance, depending on the client’s needs.

Summary

Security continues to become more complex and more overwhelming every day. It is increasingly more difficult just to store the data gathers from all the logs and endpoints throughout the network, never mind actually looking at the data and receiving insight from it.  With the move to a more network based world with cloud, mobile and social media it is even more important to have access to data rapidly on what is happening across the network and endpoints so that action can be taken quickly.  Solutions like QRadar provide that through their use of analytics and dashboards that provide deep insight into what is going on throughout the environment along with potential remediation recommendations. The addition of good forensics also allows you to put together evidence in a useful and well documented manner should it be needed for prosecution or just for mitigation.

Whether it is the QRadar platform or some other platform it is important to look to integrated solutions that provide this kind of detail along with dashboards and that also include forensics, remediation and mitigation. Integrating products like these into a robust security plan makes sure that if an incident does occur it can be taken care of rapidly and it also provides the ability to ensure any reporting required for compliance can take place.

References

IBM QRadar Website

IBM Security QRadar Vulnerability Manager for Government

IBM Security

Schedule a consultation today to learn more about QRadar.

If you liked this blog, you also might like:  Strategies for Securing Your Business – Part I & II

logo-ibmStay connected online:

Facebook | Twitter | LinkedIn | Instagram

IBM Security: QRadar Intelligence and Ops

IBM's integrated solutions harness security-relevant information from across your organization, and use analytics and automation to provide context and help you detect threats faster, identify vulnerabilities, prioritize risks, perform forensics analysis and automate compliance activities. 

  • IBM QRadar Security Intelligence Solutions Grow As Your Needs Grow

  • Organizations today need integrated security intelligence solutions that can grow as their business grows, both in terms of size and capabilities. The IBM QRadar Security Intelligence Platform meets these requirements by providing an integrated security solution that is highly scalable, and can expand it’s capabilities to meet increasingly hostile security challenges. This short video describes how IBM Security QRadar delivers scalability, visibility, vulnerability management, risk management, and performs forensics analysis to help you quickly and efficiently detect and respond to security threats. To learn more, please visit http://ibm.co/1HNzm2n

  • Video: Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar

  • Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputation damage to an organization. You need an endpoint security platform that can detect threats, prioritize risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints.IBM BigFix seamlessly integrates with IBM QRadar to provide closed loop vulnerability management, accelerating risk prioritization and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your endpoints and data secure.For more information, please visit http://ibm.co/1oSThIF

  • Report: IBM X-Force Threat Intelligence Report 2016

  • In the modern era of mega breaches, there seems to be an ever-upward trend of more attacks, more leaked records and more varied threats. Yet, by the numbers, 2015 was not a complete disaster. While significant interruptions, shifts in perspective and challenges to the security industry continue to evolve, there are some areas of slowed growth and even improvement. This paper takes a look at some of the notable highlights from 2015 and makes some projections at what we might glean for the future.

  • KocSistem Replaces Their SIEM & Deploys QRadar For Log Management & Regulatory Compliance

  • Many organizations are challenged with meeting regulatory compliance mandates. Watch this video and learn how Ko?Sistem, one of the largest IT services companies in Turkey, is complying with regulations using IBM Security QRadar. You will hear about how they removed a SIEM from another company and installed QRadar, and lowered costs, improved performance, and benefited from greater ease of use.For more information on QRadar, please visit: http://ibm.co/1DFd42q

  • The Next Era for Security – IBM QRadar Security Intelligence Platform

  • “IBM QRadar Security Intelligence Platform provides real-time transparency to see better into your organization than ever before,” says Steve Robinson, Vice President, IBM Security Division. Implementing the security information and event management (SIEM) dashboard, the IBM QRadar platform brings security operations teams full visibility through a single window. It also automates the tedious task of vulnerability management. Security teams can spend less time on manual tasks and more time on network security assessments. This means, according to Robinson, “QRadar will probably pay for itself right out of the gate.”For more information on Security Intelligence go to: http://ibm.com/software/products/us/en/subcategory/SWI60For more information on IBM Security: http://ibm.co/ibmsecurity

  • IBM Security Intelligence for the Cloud with QRadar

  • IBM QRadar Security Intelligence helps you monitor the cloud for security breaches and compliance violations using advanced security analytics. Using a flexible deployment architecture and connectors to popular cloud services, IBM QRadar Security Intelligence provides deep visibility of threats across both on-premise IT and hybrid cloud deployments.To learn more, please visit http://ibm.co/1DwamZk

  • How to Investigate Security Incidents Quickly and Easily

  • What’s behind a cyber attack? Gaining insight and clarity into the what, when and how of an enterprise security incident: IBM Security QRadar Incident Forensics helps you win the race against time when a security breach occurs by allowing you to rapidly and easily perform in-depth security incident investigations. It provides visibility and clarity to potentially malicious activity by thoroughly analyzing packets captured from your network, and in most cases can help resolve security incidents in minutes or hours instead of days or weeks. It is integrated with IBM Security QRadar solutions, allowing the same person who has visibility to logs and network flows to conduct searches and learn more about an incident. With QRadar Incident Forensics, security staffs can analyze many types of data, understand their relationships, re-trace the steps of an attacker, remediate damage, and reduce the chances of a recurrence. Learn more about QRadar Incident Forensics: http://ibm.co/QrSCg3

  • Local Government Secures Their Data With QRadar

  • Securing people and funds is a challenge for the public sector. With these limited resources, IT departments must choose a security tool set that will be easy to implement as well as easy to manage. In this video, a local government explains why they chose IBM Security’s QRadar and how it has been a true asset to their work process.To learn more about QRadar, please visit http://ibm.co/1HNzm2n