Optimizing IBM QRadar Advisor with Watson

Transcription

1 Optimizing IBM QRadar Advisor with Watson IBM SECURITY SUPPORT OPEN MIC #25 Slides and additional dial in numbers: June 8, 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

2 Panelists Vijay Dheap Program Director: Cognitive, Cloud, Analytics Suzy Deffeyes Security Analytics Architect Cameron Will Threat Intelligence Engineer Christopher Hankins Cybersecurity Specialist Adam Frank Principal Solutions Architect Jonathan Pechta Support Content Lead & Technical Writer 2 IBM Security

3 Agenda

4 Optimizing QRadar Advisor with Watson Agenda 1. Announcements 2. QRadar Tuning Review (See last Open Mic: 3. QRadar Advisor with Watson Pre-requisites 4. QRadar Advisor with Watson Best Practices 5. User Interface 6. Getting Help 7. Questions 4 IBM Security

5 Announcements

6 General Information / Announcements QRadar Patch 7 has been released. Before installing, admins should be aware of the following changes: TLSv1.0 is disabled in QRadar Patch 7, which can impact user interface authentication for anyone using a legacy browser. The Java version is updated in this release to Java 8. We are currently working to schedule an upgrade of the QRadar on Cloud service between 06/12/2017 and 07/12/2017. This upgrade includes a number of important updates that are designed to further enhance the overall extensibility of the service. This will move your current system from the 7.2.x stream to 7.3.x stream. If you have any questions, comments or concerns: sisaasop@ca.ibm.com 6 IBM Security

7 QRadar Pulse App is Now Available (Early Access) Visualize your QRadar offense data and associated events in 3D. See offenses unfold near real time and track your security threats from around the globe. Perfect for a quick overview of your current security situation on large display in a Security Operations Center. The QRadar Pulse app is currently only supported in QRadar V QRadar Pulse will be supported on V very soon. <-- Use this link to get view this app page on the X-Force Exchange. 7 IBM Security

8 QRadar Tuning Replay videos (YouTube) Network Hierarchy: Host Definitions BB/Reference Data: Server Discovery: QRadar Content Extensions: Tuning Methods: False Positive Rule: Gartner Peer Reviews - Share your QRadar Experience & Expertise Gartner Peer Insights is a platform for ratings and reviews of enterprise technology solutions by end-user professionals for end-user professionals. Administrators or users of QRadar SIEM interested in providing a peer review and sharing your expertise and experience with QRadar can now do so online. Your individual review will be published; however, the only information shared is your industry, company size, and role. If you are interested in providing an online review of QRadar, see: 8 IBM Security

9 Tuning QRadar (Review)

10 Why is Tuning QRadar Important for QRadar Advisor? Tuning QRadar is critical to your success in QRadar Advisor with Watson as it reduces the number of offenses being generated and allows you to separate important offenses from noise. The goal is to reduce offenses down from hundreds to a manageable level, detect those important events and send that data to QRadar Advisor with Watson for analysis. Having more than active offenses becomes difficult to manage, the goal for admins should be to tune to reduce work load for the SOC. Submitting relevant Indicators of compromise allows QRadar Advisor to return relevant and useful results to users. 10 IBM Security

11 Network Hierarchy & Defining Your Environment Network Hierarchy defines what address spaces for assets are in your network (Local) and what is outside of your network (Remote). This is done by defining CIDR ranges that allows administrators to segment the network in to logical groups for rules, searches, reports, network anomaly behavior patterns, etc. This list should include both routable and nonroutable addresses for assets you own. QRadar incorporates the idea of context, who they are, who we are and the traffic occurring between your network and the outside world. Qradar has 3 valid contexts. Local2Local Activity within your network. Local2Remote Activity within your network to the outside world. Remote2Local - Activity from the outside world affecting your network. 11 IBM Security

12 The Core Foundations (Review) Host Definitions BB / Reference data

13 HostReference Building Blocks Using Reference Sets In QRadar 7.2 we introduced Reference Sets to QRadar administrators. One of the issues in reference sets is that CIDR values are not supported. We ve recently released a new set of AQL properties that allows administrators to resolve this issue to read CIDR addresses as a string value and convert the CIDR address to IP address. NOTE: This is Early Access! 13 IBM Security

14 Tuning Methodology (Review) Creating a SIEM Tuning Report

15 Step 1: SIEM Tuning Report When building this report remember that we build this using the custom log source and Group By using the Event Name. Each Processer for Qradar has its own Custom Rules Engine so if the administrator has a distributed deployment, use Operator = is any of and select the multiple CRE log sources. 15 IBM Security

16 Modifying Rule Tests & Thresholds (Continued) Add/remove rule tests to tune for data you care about or restructure the order: Only to a specific country Only from a critical network Working hours Assets w/vulnerabilities Adjust the existing rule tests: Source bytes greater than 2M 30 min window instead of 12 Create a note about changed made to the rule for audit purposes, if required in your work flow. 16 IBM Security

17 QRadar Advisor with Watson Pre-requisites

18 Configuration Pre-Requisites QRadar (any patch level) is required. QRadar Support recommends all QRadar Advisor w/watson users install QRadar Patch 4. You must Enable X-Force Threat Intelligence Feed in QRadar in your QRadar System Settings. You must generate an authorized service token in QRadar for the application. Internet access is required. A secure proxy can be configured (if required) Submit an IBM X-Force Exchange authorization key for the QRadar Advisor with Watson app. Create an authorized and limited access service token for the QRadar Advisor with Watson application. Map custom properties from QRadar to the QRadar Advisor with Watson application property names. 18 IBM Security

19 QRadar Advisor Best Practices

20 Best Practices for tuning Advisor Data sources matter! L2R and R2L data is awesome. Examples: Egress boundary firewall, proxy, IPS logs Priority 1: Proxy, Firewall, Anti-Virus, VPN, User Logon (RADIUS, LDAP), Endpoint, DNS Priority 2: DHCP, IDS, Windows Advisor also loves hashes. Examples: endpoint agents like AV that include File hashes Implement and map Custom properties Every environment is different, help Advisor know what is what in your environment. Network Hierarchy is accurate An inaccurate hierarch causes Advisor to incorrectly data mine Observables from your event logs Use on Offenses that are L2R, R2L, or contain File hashes. Examples: Suspicious File Found (hash), Communication with known botnet, Large data leaving egress boundary Less help with: Suspicious login or other Offenses firing on local to local activity. Known False Positive Offenses tuned out If you are regularly ignoring Offenses because you know they aren t a problem or they are something you need to tweak in CRE rules, don t send them to Watson. Don t run Watson on Offenses that have been open for over a month. 20 IBM Security

21 Custom Properties Adding custom properties will improve the quality of Watson results. Configure regex for: Remote IPs, remote domains, remote URLs, hashes Ensure custom properties are working properly Advisor will not pull data out of raw payloads, data that Advisor uses must be parsed out into custom properties. Add regex for any missing custom properties in QRadar s custom property UI, and verify it is working before mapping in Advisor s admin wizard Ex: If endpoint logs have file hashes in them, but no custom property for File hashes is parsing them out of the logs, Advisor won t see them. 21 IBM Security

22 Advisor Property Mapping Process Mapping your properties correctly will improve Advisor results. Don t skip adding Advisor Properties Mappings when installing Advisor, ensure SIEM admin configures them in Advisor admin wizard. Don t count on it working with default Observable mapping. Map properties in Advisor, define your Canonical Observable Types Ensure Canonical types are correct These types are sent to Watson: Src/Dst IP Hash Domain URL Some types are used locally only Less important to configure, but can help Username AVSignature Filename Username 22 IBM Security

23 Example of a QRadar Advisor with Watson Analysis After you submit an incident (offense) to Watson for investigation, the knowledge graph provides a view into relationships of the entities and observables for your incident. Where do I start? 1. Offenses triggered from endpoint event logs that reference a file hash (Malware events) 2. Offenses triggered from events from external facing firewalls, proxies, antivirus or DNS logs (Suspicious Activity) 23 IBM Security

24 The Observables (IoCs) in Your Data are Important On the Analyzer page, you can view the resulting knowledge graph. The graph uses colors to illustrate the following information: 1. Yellow highlighted objects are the knowledge graph root node. 2. Observables that are deemed malicious are represented by red icons. 3. Clustered nodes are shown in blue with the number of nodes indicated next to the icon. 24 IBM Security

25 Observables: Data Used by QRadar Advisor Observables: a set of elements that are collected from an offense and sent by QRadar Advisor for Watson for local analysis and external research. Observable Type Source IP Destination IP File Hash Description External Source IPs that appear in an offense enforced by respecting the Network Hierarchy defined in QRadar External Destination IPs that appear in an offense enforced by respecting the Network Hierarchy defined in QRadar Hash value of a file that is deemed suspicious Core indicator Yes Yes Yes URL External URLs that appear in an offense Yes Domain User name AV Signature Destination Port User Agent External Domains that appear in an offense Aliases that may attempt to access critical internal infrastructure Malware signatures identified by antivirus solutions Destination Ports belonging to Destination IPs The user agent identified by a browser or HTTP application Yes Yes Yes No No Observable Type Description File Name Names of suspicious files No Source Port Source Ports belonging to Source IPs No Destination ASN Source ASN Destination Country Source Country Low Level Category High Level Category Autonomous System Number of a destination IP address (from a DNS) Autonomous System Number of a source IP address (from a DNS) Name of the destination country of outbound communications Name of source country of inbound communications Low level QRadar offense category High level QRadar offense category Direction Direction of communication No Address addresses associated with suspicious s Core indicator No No No No No No No 25 IBM Security

26 Tuning and install process Study your data sources Ensure L2R, R2L, file hashes are there, and parsed out using QRadar custom props If your data is all L2L system logs or internal facing HTTP server logs, Watson won t help as much, consider adding additional log sources to get better visibility as well as improve Watson results Install and Configure Advisor Include mapping custom properties from your environment in Advisor admin mapping process Iterate to see if additional tuning helps QRadar Admin needs to get feedback from Advisor end users Examine: Event payload for events in an Offense, any missed custom property Advisor could use? Incorrect Canonical type, Advisor data mining can fail Network hierarchy incorrect, Advisor data mining can miss important data 26 IBM Security

27 QRadar Advisor with Watson User Interface

28 QRadar Advisor User Interface and Key Insights (Version 1.3.0) Version Added quota indicators to Watson Insights that show the percentage of daily investigations available. 2. Moved reputation and category nodes from the graph display to the property details of the related node. 3. Enhanced performance and speed for displaying graphs. 4. Fixed an issue that caused the graph to resize frequently. 5. Fixed an issue that caused disconnected nodes on the Stage 2 graph. 28 IBM Security

29 QRadar Advisor User Interface and Key Insights (Stage 1) 29 IBM Security

30 QRadar Advisor User Interface and Key Insights (Stage 2) 30 IBM Security

31 Getting Help

32 dwanswers Getting Help for QRadar Advisor with Watson URL: Resolves to: NOTE: If you do not use a URL, your search tag in the forums is: qradar-watson. 32 IBM Security

33 Questions?

34 THANK YOU FOLLOW US ON: QRadar Forums: securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.