Let s talk about QRadar 7.2.5

Transcription

1 QRadar Open Mic Webcast #9 June 10, 2015 Let s talk about QRadar Panelists Dwight Spencer Principal Solutions Architect & Co-founder of Q1 Labs Adam Frank Principal Solutions Architect Jeremy Mathews QRadar Development Team Lead David Payne QRadar Software Developer API Team Jonathan Pechta Support Technical Writer Mark Wright QRadar L2 Support Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA: Canada: Participant passcode: Slides and Global dial-in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call IBM Corporation

2 QRadar Features: What we are going to discuss today New features for QRadar API Updates Historical Correlation Overlapping IP Support in SIEM Support LDAP Authorization Deployment Actions from System Management GetLogs in the UI Enterprise Ready Reporting Patch Rollback Framework Factory Re-install, new retain option to preserve /store Miscellaneous Clean Up - Security Updates - Offense (CRE) Count Resets - Password Storage Enhancement 2

3 API Updates 3

4 4 IBM Security Systems API Updates Summary for QRadar introduces V3.1 and v4.0 of API endpoints. This release contains: API Permission Changes Updated interactive API documentation for developers Allowed origins whitelist Resolved issues with existing endpoints /api/ariel/searches /api/asset_model/* /api/scanner/* /api/qvm/* All DELETE endpoints Updated endpoints: v3.1 GET /api/siem/offenses v3.1 GET /api/siem/offenses/{offense_id} v3.1 POST /api/siem/offenses/{offense_id} v4.0 POST /api/ariel/searches v2.0 DELETE /api/ariel/searches/{search_id} New endpoints: v3.1 GET /api/siem/source_addresses v3.1 GET /api/siem/source_addresses/{source_address_id} v3.1 GET /api/siem/local_destination_addresses v3.1 GET /api/siem/local_destination_addresses/{local_destination_address_id} All version 0.1, 0.2, and 1.0 API endpoints are marked as deprecated

5 API Permission Updates in QRadar QRadar V7.2.5 updates API permissions to better align with permissions required for similar functionality in the UI. API specific permissions are removed from the user role screen. Systems upgrading from V7.2.4 to V7.2.5 that have user roles defined with API permissions go through a data migration during upgrade. Pre-existing users and tokens with these roles might not be able to access API resources until their permissions are updated by an administrator. Data migration is performed on existing user roles with API specific permissions and users and authorized service tokens that have these roles assigned. User Roles with only API permissions are removed from the system. Users with these roles are switched to the "disabled" role, authorized service tokens with these roles are removed. User roles with various permissions, including API permissions are modified to have the API specific permissions removed. Users and authorized service tokens associated with these roles are maintained but reported on as their role's permissions have changed. See /root/permissions_changes.txt file for the system's data migration details. 5

6 API Updates for QRadar (continued) API Endpoints Roles Permissions Security Profile /api/ariel/* /api/asset_model/* Requires Admin permission for querying events or flows. Requires Vulnerability Management or Assets permissions. Requires security profile with access to all networks, all log sources, and all domains. Data returned restricted based on security profile assigned. /api/auth/* No permission restrictions. No security profile restrictions. /api/help/* No permission restrictions. No security profile restrictions. /api/qvm/* Requires Vulnerability Management or Assets permissions. Requires security profile with access to all networks, all log sources, and all domains. /api/reference_data/* Requires Admin permissions. No security profile restrictions. /api/scanner/* Requires Vulnerability Management permissions. Requires security profile with access to all networks, all log sources, and all domains. /api/siem/* Requires Offenses permissions. Data returned restricted based on security profile assigned. /api/siem/closing_reasons (POST) /api/siem/offenses/{offense_id} Requires Manage Offense Closing Reasons permissions. Requires Assign Offense to Users permission for updating assigned to field Data returned restricted based on security profile assigned. Data returned restricted based on security profile assigned. 6

7 Interactive API Documentation The interactive API documentation page has been updated to provide improved access to the API endpoints and their documentation: The previous interactive API documentation page is deprecated and might be removed in a future release The Try it out! button for each endpoint sends a real API request to your QRadar system with the parameters specified in the interactive API documentation page 7

8 Interactive API Documentation (continued) API endpoints are now ordered by version and can be traversed using the menu on the left hand side 8

9 API Origins Whitelist Documentation Customers can manage a list of origins that have permissions to make cross-domain API calls to your server: /opt/qradar/webapps/console/restapi/allow_origins.list Change to this file take place immediately (no need to restart services) Adding '*' to the whitelist allows all origins and is considered not a good practice This file contains a newline separated list of allowed origins Each entry is tested against the Origin header that is sent by browsers If an entry matches the origin (or the entry is *), the browser can make cross origin resource sharing requests 9

10 API Endpoint issues resolved in QRadar DELETE /api/ariel/searches all versions You can now delete searches that contain errors GET /api/qvm/assets all versions Requests to this endpoint without specified parameters no longer results in an exception that is logged by the QRadar Console GET /api/scanner/profiles - all versions Requests that use this endpoint no longer return an HTTP 500 error response when no scan profiles exist in the system This endpoint now correctly returns an HTTP 200 successful response with an empty array as the JSON body This endpoint no longer return an HTTP 500 error response when a Qradar Vulnerability Manager processor is not deployed This endpoint now correctly returns an HTTP 200 successful response with an empty array as the JSON body. GET /api/qvm/assets, GET /api/qvm/network, GET /api/qvm/openservices, GET /api/qvm/vulninstances, and GET /api/qvm/vulns - all versions An 420 error response code is now correctly returned when requests are made through these endpoints that have invalid savedsearchid parameters. 10

11 API Endpoint issues resolved in QRadar (continued) GET /api/asset_model/saved_searches/{saved_search_id}/results - all versions This endpoint returns a list of assets that match the search criteria that is specified in the {saved_search_id} property. Results include assets to which the API user's security profile grants access only. To be returned in the list, the domain of an asset must match a domain in the user's security profile. The asset must have at least one IP address that matches the networks that are defined in the API user's security profile. Assets without IP address are also returned. POST /api/asset_model/assets/{asset_id} - all versions To update an asset, the API user must now have permission for the domain of the asset. The permission is granted by the API user's security profile. The IP address of JSON objects that are provided in the ip_addresses property must all match a network that defined in the client security profile. Domain values that are specified in the domainid property are ignored. Asset domains are not editable. GET /api/asset_model/assets - all versions This endpoint returns only the assets that the current API user's security profile permits. To be returned in the list, a domain of the asset must match a domain that is specified by the API user's security profile. The asset must have at least one IP address that matches the networks that are 11 defined in the API user's security profile. Assets that do not have an IP address are also returned

12 API Endpoint issues resolved in QRadar (continued) GET /api/ariel/database/{database_name} - all versions You can now specify only a database that you have access to GET /api/ariel/databases - all versions The results now include only the databases that you have access to GET /api/scanner/profiles/create - all versions An 419 error response code is now returned when new scan profile names are specified which begin with reserved words 'CRE' and 'RC The successful HTTP 204 response code that is returned by all versions of DELETE endpoints no longer contains a message body 12

13 API Endpoint Updates in QRadar v4.0 POST /api/ariel/searches The search_id parameter is removed. A custom search_id can be requested by including the INTO keyword in the query_expression parameter, for example: SELECT starttime FROM events INTO test v4.0 DELETE /api/ariel/searches/{search_id} This endpoint returns response code 202 instead of 204 upon a successful delete request This response code indicates that the search might not be deleted immediately and that the processing of the request might take some time The response body contains details about the deleted search v3.1 GET /siem/offenses, 3.1 GET /siem/offenses/{offense_id}, and 3.1 POST /siem/offenses/{offense_id} The offense resource that is returned by these endpoints is updated to add the following fields: domain_id source_address_ids local_destination_address_ids 13

14 14 IBM Security Systems New API Endpoint v3.1 GET /siem/source_addresses Returns a list of offense source addresses v3.1 GET /siem/source_addresses/{source_address_id} Returns a single offense source address that is based on the ID provided v3.1 GET /siem/local_destination_addresses Returns a list of offense destination addresses v3.1 GET /siem/local_destination_addresses/{local_destination_address_id} Returns a single offense destination address that is based on the ID provided Removed API Endpoints All version 0.1, 0.2, and 1.0 API endpoints are marked as deprecated Will be removed in a future release Should be replaced with version 4.0 Where to find more information QRadar API interactive documentation (use): QRadar developerworks API Forum (discuss, share and troubleshoot): API code samples/examples (learn from GitHub):

15 Historical Correlation 15

16 Historical Correlation What is it? Historical Correlation allows customers to rerun past events or flows through the custom rules engine. Allows events to be correlated by start time or device time Allows flows to be correlated by start time Historical Correlation Why is this useful? 1. Bulk added events Leverage existing event rules by replaying event data, such as bulk loaded events from a log source using Log File Protocol, JDBC, etc. 2. Rule testing You can replay your event or flow data to evaluate how a new rule will react to a change or a new attack scenario. Does your new rule trigger as expected? Historical correlation can tell you if the rule would trigger a response if it were in place based on your existing event or flow data. 3. Re-creating offenses in your system If your system lost offenses because of an outage, you can re-create the offenses by running historical correlation on events that came in during that time. 16

17 Historical Correlation Where is it in the interface? Historical Correlation is enabled by creating a profiles that contain the configuration parameters that are used for historical correlation. Where? Offenses > Rules > Actions > Historical Correlation Log Activity > Actions > Historical Correlation Network Activity > Actions > Historical Correlation 17

18 Historical Correlation Limitations Historical Correlation is NOT available in QRadar Log Manager A rule must be enabled before it can be included in a historical correlation profile Rule responses (mail, reports, etc.) are ignored during historical correlation The saved search that historical correlation is based on cannot be aggregated. Meaning the saved search can not contain a Group by column. A historical correlation profile does not run if any of the following conditions are true: The specified saved search is deleted All historical correlation profile rules are disabled The historical correlation profile's saved search did not return any events or flows that occurred during the specified time frame Searches used in Historical Correlation profiles must cover the time range the events/flows are on the Console regardless of the correlation chosen. 18

19 Using Historical Correlation Historical Correlation profiles can be created by selecting Add: Event Profile To create an event historical correlation profile Flow Profile To create a flow historical correlation profile 19

20 Using Historical Correlation Event Profile 20

21 Using Historical Correlation Event Profile (continued) Historical Correlation must be configured with the following information: 1. Saved Search - Choose a search from the drop-down of Non aggregated Saved Searches. 2. Rules 1. Can choose to run on all rules, or select one or more specific rules to run 2. Can choose to correlate Events by: Device Time Start Time 3. Schedule - Choose to schedule manually or repeat based on an Hourly, Daily, Weekly, or Monthly frequency. 4. A summary that provides a text based summary of your actions. A check box is available to run the Historical Correlation profile immediately after saving. 5. Events are correlated by device time and are processed in the order that they are produced by log sources. 21

22 Using Historical Correlation Flow Profiles Historical Correlation Flow Profiles require the same options as the event profile except: You choose from the list of non aggregated flow searches. You can must correlate the flows based on start time. 22

23 Historical Correlation Viewing Results When a Historical Correlation is run, events that meet the included rule(s) create historical correlation offenses, which are identified by the clock icon. Historical Correlation does not contribute to offenses created by a previous run of historical correlation, even if it is the same profile. Historical Correlation does not contribute to real-time offenses. When events are run through Historical Correlation, the start time of the event is the time that QRadar received the event initially. Historical Correlation offenses include Event or Flow data sets that match the correlation criteria: These data sets are preserved and presented as a search result within the offense viewer. These search results cannot be searched using Advanced or Quick Filter search functionality. 23

24 Overlapping IP Support / Domain Management 24

25 Overlapping IP Support / Domain Management What is it? Domain Management (Domain Segmentation) allows QRadar administrators to define what data belongs in a domain. Domains can be used to differentiate flow and event data with the same IP address by domain as created by the administrator. Domains can also be used in security profiles to segment users are only allowed to see specific data sources within their domain. Where is it? Admin tab > System Configuration > Domain Management What criteria can be used to define a domain? Domain creation can be based on one or more of the following criteria: Custom Property Value (RegEx) Log Source/Log Source Group Event Collector Flow Source Scanners 25

26 Overlapping IP Support / Domain Management (continued) Domains are now present throughout QRadar SEIM and can be utilized in the following areas: Rule tests Offense Search Filters Log/Network Activity Search Filters Asset Search Filters Network Hierarchy Groups 26

27 New Domain Events by Custom Property / Regex 27

28 New Domain Events by Log Source or Log Source Group 28

29 New Domain Events by Event Collector Appliance 29

30 New Domain Flows by Flow Source 30

31 New Domain Flows by Flow Collector 31

32 New Domain by Vulnerability Scanner 32

33 Domains & Security Profiles The Domain tab is only displayed in the Security Profiles user interface when a domain is added. All Domains Can see all active domains within the system, as well as the default domain and any domains that were previously deleted across the entire system They will also be able to see all domains that will be created in the future. 33

34 Domain Rule Tests for Offenses QRadar SEIM rules now have a new test And Domain Is Will only fire when event/flow is from the domain specified Offenses created in a QRadar system That is domain aware a new offense is created for each different domain That does not have user specified domains a single offense is created Single-domain rule If the rule is a stateful rule, the states are maintained separately for each domain When the rule fires, offenses are created separately for each domain involved and the offenses are tagged with those domains Single-domain offense The offense is tagged with the corresponding domain name It can only contain events that are tagged with that domain System-wide rule If the rule is a stateful rule, a single state is maintained for the whole system and domain tags are ignored. When the rule fires, it creates or contributes to a single system-wide offense. System-wide offense The offense is tagged with Any Domain It contains only events that are tagged with all domains 34

35 Domain Offenses QRadar SEIM offenses are now domain aware: The domain of the offense will be displayed on the offense list You can sort on the domain of the offense by clicking on the domain header The default domain does NOT sort based on alphabetical order, however it will be displayed at the top or bottom of the sorted list in ascending or descending order Any domain does NOT appear in the list of the offenses Domain can be filtered on the offense search screen 35

36 Searching Events or Flows with the Domain tag QRadar SEIM Log and Network Activity are now domain aware The domain of the event/flow can be displayed on the event/flow list Select column from list of columns on edit search screen Domain is now a filter option for Log/Network activity Available on edit search screen and add filter from the toolbar 36

37 Domain Asset Filter QRadar SEIM Assets are now domain aware: The domain of the asset will be displayed on the asset list. Domain is now a filter option for Assets from the edit search screen or from the Add Filter button on the toolbar. 37

38 Domain Network Hierarchy QRadar SEIM Networks are now domain aware The domain of the network will be displayed on the network list. Network can be added to a domain through the network group. 38

39 Domain Limitations Limitations Forwarding Data to another QRadar system. Domain information is removed when data is forwarded to another QRadar system. You can not assign specific data sources to two different domains. For example, a log source, log source group, or event collector are removed from the choice list when added to a domains. Deleted domains limitations: Deleted domains will still show up in historical searches if the user has access to All Configured Domains or if the domain was assigned to the user before it was deleted. Deleted domains cannot be used as a filtering option when searching. 39

40 LDAP Authentication 40

41 41 IBM Security Systems LDAP Authentication Enhancements LDAP Authentication support has been expanded to include the ability to read user and role information from the LDAP server. Authorization is the process of determining what access permissions a user has based on their role assignments. You must have a valid bind connection to the LDAP server in order to enable authorization settings: Local Existing interaction, users are authenticated by LDAP Local QRadar users are required on the console User Attributes Specify user attributes in a search filter to be used when authenticating users You must specify both a user role attribute and a security profile attribute A local QRadar user will be created when the LDAP user logs in Group Specify group authorization if you want users to inherit role based access permission after they authenticate with the LDAP server LDAP group members are retrieved automatically based on the attributes that are configured in the GROUP MEMBER FIELD All users in those groups automatically inherit permissions based on what the QRadar role allows. Groups to permit or deny permissions can be set separately for security profiles and user roles A local QRadar user will be created when the LDAP user logs in

42 42 IBM Security Systems LDAP Authentication Enhancements (continued) User or Group authorization User information is automatically imported from the LDAP server Importing authorization data happens at the group level Each group that is configured on the LDAP server, there must be a matching user role or security profile configured on the QRadar console For each group that matches, the users are imported and assigned permissions based on that user role or security profile NOTE: User attribute values are case sensitive. Mapping of group names to user roles and security profiles is also case-sensitive Data Synchronization When using User or Group authorization, a local QRadar user will be created when the LDAP user logs in This user is synchronized with the LDAP server to ensure the attributes are current You can synchronize the authorization data either manually or at preset intervals Synchronization intervals are based on a time period. By default, authorization data is automatically refreshed 24 hours after the last synchronization regardless if that run was a manual or scheduled run. If a synchronization update changes the access permissions for a user that is currently logged in, their session becomes invalid. The user is redirected to the login screen and must authenticate in order to access QRadar.

43 LDAP Authentication Configuration 43

44 LDAP Authentication Configuration (continued) 44

45 LDAP Authentication Configuration (continued) 45

46 LDAP Authentication Configuration (continued) User Attributes Username = ldapuser1 uid = ldapuser1 cn = ldapuser1 Create User Role = ldapuser1 Create Security Profile = ldapuser1 Save and deploy changes 46

47 LDAP Authentication Configuration (continued) Group Attributes Username = aduser1 Group Member Field = member member is the LDAP user group 47

48 LDAP Authentication Configuration (continued) Group Attributes Username = aduser1 Group Member Field = member member is the LDAP user group 48

49 LDAP Authentication Multiple servers Multiple LDAP authentications servers are supported 49

50 LDAP Authentication Multiple Servers (continued) User ldapuser1 logs in Local QRadar user ldapuser1 is created and deployed and mapped to User Role = ldapuser1 and Security Profile = ldapuser1 User aduser1 logs in Local QRadar user aduser1 is created and deployed and mapped to User Role = Admin and Security Profile = Admin 50

51 Deployment Enhancements 51

52 Deployment Enhancements Add, remove, and manage hosts The deployment editor functionality is being migrated to the System and License Management screen with a new interface. Deployment Enhancements Where is this feature? Admin tab > System & License Management > Deployment Actions. 52

53 Deployment Enhancements Adding managed host Add Host. This screen includes the same information as the Deployment Editor. 53

54 Deployment Enhancements Removing a managed host Remove Host Requires confirmation to remove the host. A status window is displayed. When finished, System & Licempage will be refreshed 54

55 Deployment Enhancements Edit a managed host Edit Host This screen includes the same information as the Deployment Editor. 55

56 Deployment Enhancements Manage Vulnerability Deployment Manage Vulnerability Deployment allows you to: Enable Processor and drop-down list to select an available appliance. Add Additional Scanners Add External Scanners Forward Vulnerabilities to SiteProtector 56

57 Get Logs Enhancement 57

58 Support Enhancements Get_logs - Now in the user interface get_logs.sh is a shell script used to collect logs. End users have to ssh to Console or MH, run the script, and ftp the result file to a client machine and upload it to PMR. From 7.2.5, end users would be able to kick off a log collection task and download the result file from web browser after receiving a notification on dashboard when the task complete. Users don't need root access to Console and switch back and forth between server and client. Users can stay on UI and continue their work while logs are being collected which may take as long as a few minutes. The API endpoint is designed to pass log collection request to get_logs.sh script and support typical usage of the script. For security reason we don't allow some options including one to include files from any directory. Users can still go for command line way to collect particular files. Log Collection UI is available in System and License Management page for admin user. Only one Log Collection is allowed to run at any time. You can cancel a running get_logs request from x button in the status bar. The result file is located under /store/logs and get_logs.sh will automatically clean up files that's older than 90 days. 58

59 Support Enhancements Get_logs Where is it? Admin tab > System and License Management > Actions > Collect Log Files. 59

60 Support Enhancements Get_logs Status bar The System and License Management screen status bar informs administrators that log files are being collected: Collection can be canceled by clicking the red X When the collection is finished, a download link will appear 60

61 Report Enhancements 61

62 Enterprise Reporting Enhancements Reporting enhancements in include: Report Pagination, page numbers (left, right, center) on selector for reports. Report Classification text, the ability to add header and footer text classifications to reports. Asset Reports based on Saved Asset Searches, run a report on a search that has been saved from the Asset search screen. Report Sharing, the ability to share report groups with different users. Asset Reports based on Saved Asset Searches Choose Asset chart type and select an asset related search. 62

63 Enterprise Reporting Enhancements Report sharing Report Group Sharing is only available to Admin users in Only Admin users can share groups, they can be shared with any other user in the system The default action is to inherit the share settings of the parent group. Share with Everyone will share the group with all users. Enterprise Reporting Enhancements Where is it? Reports tab > Manage Groups > select a group, click Share 63

64 Report Sharing by user role or security profile Share report groups with users that match a User Role and/or Security Profile. 64

65 Patch / Fix Pack Installation Rollback 65

66 Patch Rollback Framework What is patch rollback? QRadar (starting with x patches/fix packs) now have the option to run a test mode prior to installing core features & RPMs, if an issue is detected that would prevent a successful installation, the system can roll the process and restart the appliance with the previous version intact. The process: 1. By default patch runs in test mode first 2. After test mode is finished If no errors are found, then the patch proceeds as normal If errors are found, then the patch is rolled back. The system will restart with previous version. Running the patches now have new installation flag options: --test-only Runs without making changes to the system Performs a database backup, runs all SQL updates on backup --patch-only Skips running test mode, simply runs the patch This would be the same as running pre patches 66

67 Factory Reinstalls Retain Option 67

68 Factory Reinstall now includes a Retain option Factory Re-install of QRadar appliances now offers an option to retain the Ariel (event and flow) data in /store during a factory reinstall. The most recent backup will also be retained (if available) Backup will be available at /store/retain/ after re-installation Ariel data retention is available on all appliances, installations using a prior version ISO do not have the RETAIN option available. For example, installations completed with a ISO, then updated to QRadar do not have a RETAIN option in the factory reinstall menu. Ariel data retention is NOT available on HA systems nor on systems with an inaccessible /store partition. 68

69 Factory Reinstall - About the Retain option During the re-installation, you will be greeted with the WARNING screen when an previous installation has been detected. In 7.2.5, you will have a RETAIN option After re-installation, you will see two Ariel directories /store/ariel (restored data) /store/ariel.install (installation directory backed up) 69

70 Miscellaneous Updates 70

71 Security Updates 1. Host Communication Security Enhancements In QRadar 7.2.5, all managed host communication no longer uses bi-directional SSH tunnels. All communication is done using SSH tunnels from the Console to the managed host OR HTTPS requests Why is this change important? This enhancement ensures that if a managed host is compromised, only the compromised host is affected 2. Password Storage Enhancement QRadar user passwords are now stored as a salted SHA-256 string This should have no effect on users besides enhanced security Passwords are NOT upgraded until the user changes them. Important: We are not migrating existing passwords. When a user changes their password, the new password stored in QRadar will have enhanced security. 71

72 Custom Rules Engine Enhancements CRE Count Resets In previous releases of QRadar, editing a Rule would result in the counts for all rules to be reset. In QRadar 7.2.5, when you edit a Rule, only the counts for that rule are reset to zero. X-Force Exchange Right-click Plug-in available by default The X-Force Exchange plug-in allows users to complete right-click IP address lookups against the information found on X-Force Exchange website to gather more details about an IP addresses that appears anywhere in the QRadar user interface. The plug-in also enables users to do right-click lookups on URLs from events on the Log Activity tab. This allows you to leverage the data returned from your QRadar searches, offenses, and rules to research further or contribute IPs or URL information to a collection. 72

73 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: 1. Type your question into the chat window. 2. When prompted by the operator, you can press *1 to ask a question over the phone. 73

74 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to IBM Security Systems improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 74