Optimizing IBM QRadar Advisor with Watson

Similar documents
Let s Talk About Threat Intelligence

IBM Security Support Open Mic

QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

QRadar Open Mic: Custom Properties

May the (IBM) X-Force Be With You

Integrated, Intelligence driven Cyber Threat Hunting

IBM Threat Protection System: XGS - QRadar Integration

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

How AppScan explores applications with ABE and RBE

What's new in AppScan Standard/Enterprise/Source version

IBM Security Network Protection

Deploying BigFix Patches for Red Hat

Securing global enterprise with innovation

Analyzing Hardware Inventory report and hardware scan files

IBM Security Identity Manager New Features in 6.0 and 7.0

BigFix Query Unleashed!

Introduction to IBM Security Network Protection Manager

Let s talk about QRadar 7.2.5

HTTP Transformation Rules with IBM Security Access Manager

What's new in AppScan Standard version

Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

Be effective in protecting against the cybercrime

IBM Security Access Manager Single Sign-on with Federation

XGS: Making use of Logs and Captures

IBM Security QRadar SIEM Version Getting Started Guide

Remote Syslog Shipping IBM Security Guardium

Configuring your policy to prevent appliance problems

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

XGS Administration - Post Deployment Tasks

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Security Support Open Mic: ISNP High Availability and Bypass

More on relevance checks in ILMT and BFI

Understanding scan coverage in AppScan Standard

Junction SSL Debugging With Wireshark

The New Era of Cognitive Security

XGS & QRadar Integration

IBM BigFix Relays Part 1

ISAM Advanced Access Control

IBM Security QRadar Version Architecture and Deployment Guide IBM

Interpreting relevance conditions in commonly used ILMT/BFI fixlets

Fabrizio Patriarca. Come creare valore dalla GDPR

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

IBM BigFix Client Reporting: Process, Configuration, and Troubleshooting

Configuring zsecure To Send Data to QRadar

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Let's talk about QRadar Apps: Development & Troubleshooting IBM SECURITY SUPPORT OPEN MIC

IBM Security Network Protection Solutions

How to Secure Your Cloud with...a Cloud?

IBM Security Access Manager v8.x Kerberos Part 2

The McGill University Health Centre (MUHC)

Managed Security Services - Endpoint Managed Security on Cloud

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

Notice on Names and Logos Used in This Presentation

Deep Security Integration with Sumo Logic

IBM Guardium Data Encryption

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

McAfee Network Security Platform Administration Course

Juniper Secure Analytics Patch Release Notes

IBM Security Access Manager What s in the box : InfoMap Authentication Mechanism IBM SECURITY SUPPORT OPEN MIC. 13 Dec 2017

Security Support Open Mic Build Your Own POC Setup

IBM Security QRadar SIEM Version Getting Started Guide IBM

IBM MaaS360 Kiosk Mode Settings

IBM Security Network Protection v Enhancements

RSA NetWitness Suite Respond in Minutes, Not Months

IBM Security QRadar SIEM V7.2.7 Deployment

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Disk Space Management of ISAM Appliance

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

BigFix 101- Server Pricing

Predators are lurking in the Dark Web - is your network vulnerable?

Cisco ISE pxgrid App 1.0 for IBM QRadar SIEM. Author: John Eppich

How to properly deploy, configure and upgrade the NAB

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 7. User Guide IBM

Juniper Sky Advanced Threat Prevention

Modern Realities of Securing Active Directory & the Need for AI

IBM QRadar User Behavior Analytics (UBA) app Version 2 Release 5. User Guide IBM

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

IBM Cloud Lessons Learned: VMware Cloud Foundation on IBM Cloud VMworld 2017 We are a cognitive solutions and cloud platform company that leverages th

SWD & SSA Updates 2018

Compare Security Analytics Solutions

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

McAfee Network Security Platform 8.3

Incident Play Book: Phishing

CIS Controls Measures and Metrics for Version 7

IBM Security Guardium: Troubleshooting No Traffic Issues

Cisco & IBM Security SECURING THE THREATS OF TOMORROW, TODAY, TOGETHER

CIS Controls Measures and Metrics for Version 7

McAfee MVISION Cloud. Data Security for the Cloud Era

JUNIPER SKY ADVANCED THREAT PREVENTION

IBM BigFix Relays Part 2

Security Support Open Mic Client Certificate Authentication

Carbon Black PCI Compliance Mapping Checklist

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Behavioral Analytics A Closer Look

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

SOLUTION MANAGEMENT GROUP

Transcription:

Optimizing IBM QRadar Advisor with Watson IBM SECURITY SUPPORT OPEN MIC #25 Slides and additional dial in numbers: http://ibm.biz/openmic25 June 8, 2017 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

Panelists Vijay Dheap Program Director: Cognitive, Cloud, Analytics Suzy Deffeyes Security Analytics Architect Cameron Will Threat Intelligence Engineer Christopher Hankins Cybersecurity Specialist Adam Frank Principal Solutions Architect Jonathan Pechta Support Content Lead & Technical Writer 2 IBM Security

Agenda

Optimizing QRadar Advisor with Watson Agenda 1. Announcements 2. QRadar Tuning Review (See last Open Mic: http://ibm.biz/qradaropenmic) 3. QRadar Advisor with Watson Pre-requisites 4. QRadar Advisor with Watson Best Practices 5. User Interface 6. Getting Help 7. Questions 4 IBM Security

Announcements

General Information / Announcements QRadar 7.2.8 Patch 7 has been released. Before installing, admins should be aware of the following changes: TLSv1.0 is disabled in QRadar 7.2.8 Patch 7, which can impact user interface authentication for anyone using a legacy browser. The Java version is updated in this release to Java 8. We are currently working to schedule an upgrade of the QRadar on Cloud service between 06/12/2017 and 07/12/2017. This upgrade includes a number of important updates that are designed to further enhance the overall extensibility of the service. This will move your current system from the 7.2.x stream to 7.3.x stream. If you have any questions, comments or concerns: sisaasop@ca.ibm.com 6 IBM Security

QRadar Pulse App is Now Available (Early Access) Visualize your QRadar offense data and associated events in 3D. See offenses unfold near real time and track your security threats from around the globe. Perfect for a quick overview of your current security situation on large display in a Security Operations Center. The QRadar Pulse app is currently only supported in QRadar V7.2.8. QRadar Pulse will be supported on V7.3.0+ very soon. http://ibm.biz/qradarpulse <-- Use this link to get view this app page on the X-Force Exchange. 7 IBM Security

QRadar Tuning Replay videos (YouTube) Network Hierarchy: https://youtu.be/srqwhvc1jck?t=3m00s Host Definitions BB/Reference Data: https://youtu.be/srqwhvc1jck?t=17m33s Server Discovery: https://youtu.be/srqwhvc1jck?t=23m46s QRadar Content Extensions: https://youtu.be/srqwhvc1jck?t=28m44s Tuning Methods: https://youtu.be/srqwhvc1jck?t=36m48s False Positive Rule: https://youtu.be/srqwhvc1jck?t=51m31s Gartner Peer Reviews - Share your QRadar Experience & Expertise Gartner Peer Insights is a platform for ratings and reviews of enterprise technology solutions by end-user professionals for end-user professionals. Administrators or users of QRadar SIEM interested in providing a peer review and sharing your expertise and experience with QRadar can now do so online. Your individual review will be published; however, the only information shared is your industry, company size, and role. If you are interested in providing an online review of QRadar, see: https://www.gartner.com/reviews/survey/home. 8 IBM Security

Tuning QRadar (Review)

Why is Tuning QRadar Important for QRadar Advisor? Tuning QRadar is critical to your success in QRadar Advisor with Watson as it reduces the number of offenses being generated and allows you to separate important offenses from noise. The goal is to reduce offenses down from hundreds to a manageable level, detect those important events and send that data to QRadar Advisor with Watson for analysis. Having more than 40-50 active offenses becomes difficult to manage, the goal for admins should be to tune to reduce work load for the SOC. Submitting relevant Indicators of compromise allows QRadar Advisor to return relevant and useful results to users. 10 IBM Security

Network Hierarchy & Defining Your Environment Network Hierarchy defines what address spaces for assets are in your network (Local) and what is outside of your network (Remote). This is done by defining CIDR ranges that allows administrators to segment the network in to logical groups for rules, searches, reports, network anomaly behavior patterns, etc. This list should include both routable and nonroutable addresses for assets you own. QRadar incorporates the idea of context, who they are, who we are and the traffic occurring between your network and the outside world. Qradar has 3 valid contexts. Local2Local Activity within your network. Local2Remote Activity within your network to the outside world. Remote2Local - Activity from the outside world affecting your network. 11 IBM Security

The Core Foundations (Review) Host Definitions BB / Reference data

HostReference Building Blocks Using Reference Sets In QRadar 7.2 we introduced Reference Sets to QRadar administrators. One of the issues in reference sets is that CIDR values are not supported. We ve recently released a new set of AQL properties that allows administrators to resolve this issue to read CIDR addresses as a string value and convert the CIDR address to IP address. NOTE: This is Early Access! 13 IBM Security

Tuning Methodology (Review) Creating a SIEM Tuning Report

Step 1: SIEM Tuning Report When building this report remember that we build this using the custom log source and Group By using the Event Name. Each Processer for Qradar has its own Custom Rules Engine so if the administrator has a distributed deployment, use Operator = is any of and select the multiple CRE log sources. 15 IBM Security

Modifying Rule Tests & Thresholds (Continued) Add/remove rule tests to tune for data you care about or restructure the order: Only to a specific country Only from a critical network Working hours Assets w/vulnerabilities Adjust the existing rule tests: Source bytes greater than 2M 30 min window instead of 12 Create a note about changed made to the rule for audit purposes, if required in your work flow. 16 IBM Security

QRadar Advisor with Watson Pre-requisites

Configuration Pre-Requisites QRadar 7.2.8 (any patch level) is required. QRadar Support recommends all QRadar Advisor w/watson users install QRadar 7.2.8 Patch 4. You must Enable X-Force Threat Intelligence Feed in QRadar 7.2.8 in your QRadar System Settings. You must generate an authorized service token in QRadar for the application. Internet access is required. A secure proxy can be configured (if required) Submit an IBM X-Force Exchange authorization key for the QRadar Advisor with Watson app. Create an authorized and limited access service token for the QRadar Advisor with Watson application. Map custom properties from QRadar to the QRadar Advisor with Watson application property names. 18 IBM Security

QRadar Advisor Best Practices

Best Practices for tuning Advisor Data sources matter! L2R and R2L data is awesome. Examples: Egress boundary firewall, proxy, IPS logs Priority 1: Proxy, Firewall, Anti-Virus, VPN, User Logon (RADIUS, LDAP), Endpoint, DNS Priority 2: DHCP, IDS, Windows Advisor also loves hashes. Examples: endpoint agents like AV that include File hashes Implement and map Custom properties Every environment is different, help Advisor know what is what in your environment. Network Hierarchy is accurate An inaccurate hierarch causes Advisor to incorrectly data mine Observables from your event logs Use on Offenses that are L2R, R2L, or contain File hashes. Examples: Suspicious File Found (hash), Communication with known botnet, Large data leaving egress boundary Less help with: Suspicious login or other Offenses firing on local to local activity. Known False Positive Offenses tuned out If you are regularly ignoring Offenses because you know they aren t a problem or they are something you need to tweak in CRE rules, don t send them to Watson. Don t run Watson on Offenses that have been open for over a month. 20 IBM Security

Custom Properties Adding custom properties will improve the quality of Watson results. Configure regex for: Remote IPs, remote domains, remote URLs, hashes Ensure custom properties are working properly Advisor will not pull data out of raw payloads, data that Advisor uses must be parsed out into custom properties. Add regex for any missing custom properties in QRadar s custom property UI, and verify it is working before mapping in Advisor s admin wizard Ex: If endpoint logs have file hashes in them, but no custom property for File hashes is parsing them out of the logs, Advisor won t see them. 21 IBM Security

Advisor Property Mapping Process Mapping your properties correctly will improve Advisor results. Don t skip adding Advisor Properties Mappings when installing Advisor, ensure SIEM admin configures them in Advisor admin wizard. Don t count on it working with default Observable mapping. Map properties in Advisor, define your Canonical Observable Types Ensure Canonical types are correct These types are sent to Watson: Src/Dst IP Hash Domain URL Some types are used locally only Less important to configure, but can help Username AVSignature Filename Username 22 IBM Security

Example of a QRadar Advisor with Watson Analysis After you submit an incident (offense) to Watson for investigation, the knowledge graph provides a view into relationships of the entities and observables for your incident. Where do I start? 1. Offenses triggered from endpoint event logs that reference a file hash (Malware events) 2. Offenses triggered from events from external facing firewalls, proxies, antivirus or DNS logs (Suspicious Activity) 23 IBM Security

The Observables (IoCs) in Your Data are Important On the Analyzer page, you can view the resulting knowledge graph. The graph uses colors to illustrate the following information: 1. Yellow highlighted objects are the knowledge graph root node. 2. Observables that are deemed malicious are represented by red icons. 3. Clustered nodes are shown in blue with the number of nodes indicated next to the icon. 24 IBM Security

Observables: Data Used by QRadar Advisor Observables: a set of elements that are collected from an offense and sent by QRadar Advisor for Watson for local analysis and external research. Observable Type Source IP Destination IP File Hash Description External Source IPs that appear in an offense enforced by respecting the Network Hierarchy defined in QRadar External Destination IPs that appear in an offense enforced by respecting the Network Hierarchy defined in QRadar Hash value of a file that is deemed suspicious Core indicator Yes Yes Yes URL External URLs that appear in an offense Yes Domain User name AV Signature Destination Port User Agent External Domains that appear in an offense Aliases that may attempt to access critical internal infrastructure Malware signatures identified by antivirus solutions Destination Ports belonging to Destination IPs The user agent identified by a browser or HTTP application Yes Yes Yes No No Observable Type Description File Name Names of suspicious files No Source Port Source Ports belonging to Source IPs No Destination ASN Source ASN Destination Country Source Country Low Level Category High Level Category Autonomous System Number of a destination IP address (from a DNS) Autonomous System Number of a source IP address (from a DNS) Name of the destination country of outbound communications Name of source country of inbound communications Low level QRadar offense category High level QRadar offense category Direction Direction of communication No Email Address Email addresses associated with suspicious emails Core indicator No No No No No No No 25 IBM Security

Tuning and install process Study your data sources Ensure L2R, R2L, file hashes are there, and parsed out using QRadar custom props If your data is all L2L system logs or internal facing HTTP server logs, Watson won t help as much, consider adding additional log sources to get better visibility as well as improve Watson results Install and Configure Advisor Include mapping custom properties from your environment in Advisor admin mapping process Iterate to see if additional tuning helps QRadar Admin needs to get feedback from Advisor end users Examine: Event payload for events in an Offense, any missed custom property Advisor could use? Incorrect Canonical type, Advisor data mining can fail Network hierarchy incorrect, Advisor data mining can miss important data 26 IBM Security

QRadar Advisor with Watson User Interface

QRadar Advisor User Interface and Key Insights (Version 1.3.0) Version 1.3.0 1. Added quota indicators to Watson Insights that show the percentage of daily investigations available. 2. Moved reputation and category nodes from the graph display to the property details of the related node. 3. Enhanced performance and speed for displaying graphs. 4. Fixed an issue that caused the graph to resize frequently. 5. Fixed an issue that caused disconnected nodes on the Stage 2 graph. 28 IBM Security

QRadar Advisor User Interface and Key Insights (Stage 1) 29 IBM Security

QRadar Advisor User Interface and Key Insights (Stage 2) 30 IBM Security

Getting Help

dwanswers Getting Help for QRadar Advisor with Watson URL: http://ibm.biz/qradaradvisor Resolves to: https://developer.ibm.com/answers/topics/qradar-watson.html NOTE: If you do not use a URL, your search tag in the forums is: qradar-watson. 32 IBM Security

Questions?

THANK YOU FOLLOW US ON: https://www.facebook.com/ibm-security-support-221766828033861/ QRadar Forums: https://ibm.biz/bdr2kc youtube/user/ibmsecuritysupport @askibmsecurity securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback