Simplifying Security for IBM i and IBM Security QRadar

Similar documents
Alliance Key Manager A Solution Brief for Partners & Integrators

AES Encryption Strategies

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

VMware, SQL Server and Encrypting Private Data Townsend Security

TRUE SECURITY-AS-A-SERVICE

VMware, SQL Server and Encrypting Private Data Townsend Security

to Enhance Your Cyber Security Needs

PT Unified Application Security Enforcement. ptsecurity.com

Alliance LogAgent Quick Start Guide. Software version: 2.00 Documentation version:

Security Operations & Analytics Services

Alliance Key Manager A Solution Brief for Technical Implementers

SIEM Solutions from McAfee

ALERT LOGIC LOG MANAGER & LOG REVIEW

RSA INCIDENT RESPONSE SERVICES

AKAMAI CLOUD SECURITY SOLUTIONS

SIEMLESS THREAT DETECTION FOR AWS

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Cybersecurity The Evolving Landscape

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

locuz.com SOC Services

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Security. Made Smarter.

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Machine Learning and Advanced Analytics to Address Today s Security Challenges

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Symantec Security Monitoring Services

SecureVue. SecureVue

RSA NetWitness Suite Respond in Minutes, Not Months

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

CyberArk Privileged Threat Analytics

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Securing Office 365 with SecureCloud

Background FAST FACTS

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

SIEMLESS THREAT MANAGEMENT

CipherCloud CASB+ Connector for ServiceNow

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Industrial Defender ASM. for Automation Systems Management

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

in PCI Regulated Environments

Imperva Incapsula Website Security

Maximizing IT Security with Configuration Management WHITE PAPER

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

VANGUARD POLICY MANAGERTM

Escaping PCI purgatory.

SOLUTION BRIEF DFLabs IncMan SOAR - The Security Orchestration, Automation and Response Platform for SOCs.

Reinvent Your 2013 Security Management Strategy

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

All the resources you need to get buy-in from your team and advocate for the tools you need.

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Security Information & Event Management (SIEM)

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

Popular SIEM vs aisiem

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

HIPAA Regulatory Compliance

The Business Case for Network Segmentation

Overview. Business value

Case Study. Encode helps University of Aberdeen strengthen security and reduce false positives with advanced security intelligence platform

Top 10 use cases of HP ArcSight Logger

How Identity Management Solves Five Hadoop Security Risks

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Insurance Industry - PCI DSS

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

IBM Exam 00M-662 Security Systems Sales Mastery Test v2 Version: 7.1 [ Total Questions: 72 ]

Safeguarding Cardholder Account Data

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Operational Network Security

May the (IBM) X-Force Be With You

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

2017 Results. Revealing the New State of IBM i Security: The Good, the Bad, and the Downright Ugly

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

CoreMax Consulting s Cyber Security Roadmap

The First Six Steps to Securing Remote Locations 1

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

The 2017 State of Endpoint Security Risk

SIEM Product Comparison

THE ACCENTURE CYBER DEFENSE SOLUTION

NEXT GENERATION SECURITY OPERATIONS CENTER

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

VANGUARD Policy Manager TM

Transcription:

White Paper Simplifying Security for IBM i and IBM Security QRadar www.townsendsecurity.com 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 800.357.1019 fax 360.357.9047 www.townsendsecurity.com

Overview Actively monitoring system logs is one of the most effective security tools any organization can deploy. But there are many challenges facing an organization deploying one of the many SIEM solutions for active monitoring. SIEM solutions can be complex to install, configure, deploy and manage. IBM Security QRadar has dramatically reduced the effort required to deploy an effective SIEM solution. Until now IBM i (AS/400, iseries) users faced extensive challenges in integrating their IBM servers with QRadar. In a new offering for IBM i customers Townsend Security makes integration with QRadar simple, fast and inexpensive. Customers can rapidly experience success and better security with Townsend Security s Alliance LogAgent for IBM QRadar solution. This paper explores the security benefits of the combined IBM and Townsend solutions. Continuous, Active Monitoring is a Key Security Control In any list of the Top 10 security controls recommended by security professionals you will always find the recommendation to collect and actively monitor system logs. It is easy to see why this is the case - the vast majority of data breaches could have been prevented by early detection. Forensic investigations have consistently shown that system logs contained all of the information needed to detect and prevent a breach. Monitoring system logs and taking early action is one of the most effective ways of preventing a breach. So why aren t we doing a better job? A part of the answer is that the volume of information in system logs is much larger than can be handled by humans. The modern Enterprise may have dozens, or hundreds, or even thousands of servers and PCs on their network. Every one of these systems generates a large number of system log events. The number of events can reach into the millions on any given day. It is just not humanly possible to review and monitor all of these system and security events. The only way to effectively monitor system logs is to deploy specialized applications that does this for us. These applications are called Security Information and Event Management, or SIEM, solutions. These solutions collect system logs in a central repository, inspect them for suspicious activity, and alert us when an attack is detected. All of this is done in real time using efficient and capable software. When deployed properly SIEM solutions are a crucial part of your security strategy. IBM Security QRadar is the solution provided by IBM and is ranked as a leader and visionary by Gartner. The Hidden Pain Point in SIEM Active Monitoring Solutions While SIEM solutions perform functions that humans can t do on their own, they often take a lot of work to install, configure, and deploy. With hundreds of different types of devices to monitor, it can be laborious to train the SIEM solution to understand events from all of these devices. Your devices may include firewalls, network switches, PCs, servers with many different operating systems, business applications, web servers and applications, and many, many more. Configuring your SIEM solution to recognize and categorize all of these events is a gargantuan task. Many customers report that it takes months or even years to configure their SIEM solution properly. IBM Security QRadar helps solve this problem by delivering event configurations that are ready to use right out of the box. With support for more than 250 common devices, most QRadar customers can deploy the solution and start realizing the benefits immediately. IBM calls these ready-touse configurations Device Support Modules, or DSMs. Do you have a 3Com Model 8800 switch? There s a DSM for that and IBM QRadar will automatically recognize events from this unit. Pre-configured support for a wide variety of devices means that IBM Security QRadar customers eliminate a lot of the up-front configuration time and start reaping the benefits of log collection and active monitoring very quickly. Townsend Security worked closely with the IBM Security QRadar development team to incorporate support for IBM i security events using their Alliance LogAgent for IBM QRadar solution. The TownsendSecurity solution collects IBM i security events in real time, converts them to IBM QRadar Log Event Extended Format (LEEF) and transmits them to IBM Security QRadar. Alliance LogAgent for IBM QRadar is matched by the QRadar DSM support that is a part of the QRadar solution. Townsend Security is an IBM certified Ready For IBM Security Intelligence (RFISI) partner. Page 1

Ease of Use as a Part of the Security Posture The other big challenge with deploying SIEM solutions is ease of use. Security events are, by nature, complex. The information and formats vary widely and this can make using a SIEM solution daunting. If installing, configuring, deploying, and maintaining your SIEM solution involves a number of complex tasks, this will slow the deployment and increase the costs of the solution. Many IT professionals are responsible for a number of security applications and the complexity of a SIEM solution can be a large burden and have a direct impact on the effectiveness of your security. Another challenge to SIEM users involves the handling of false positives and false negatives. It is inevitable that a SIEM solution will miss an important security event, or it will generate an alarm for an event that is not truly a security problem. If the number of false positives and false negatives is large it can overwhelm the IT team with unnecessary work. IBM Security QRadar mitigates these problems by providing an easy-to-use interface for configuration and deployment. Many IT professionals report that they were able to deploy the QRadar solution without additional training, and that the number of false positives and false negatives remained manageable. IBM Security QRadar learns from your IT team which events can be ignored and which are important. The more information it processes the better it becomes at detecting anomalies that are of concern, and ignoring routine events that do not represent a threat. The IBM Security QRadar format for security events is called the Log Event Extended Format, or LEEF. It provides a common and normalized way for devices to report events in a consistent manner. When QRadar receives data in the LEEF format it immediately knows how to interpret the contents of the message. For example, it doesn t have to guess the source IP address for an event, it will be in the src=1.1.1.1 field and immediately recognizable. Is malware on a user PC attacking your internal business services? QRadar can find it fast. Townsend Security s solution puts all IBM i security journal events in LEEF format to make QRadar more effective. How IBM Security QRadar Helps Meet the Challenge By providing superior security event monitoring and alerting in an easyto-install and easy-to-use package, IBM Security QRadar has earned a top rating by Gartner in the SIEM magic quadrant. Organizations of all sizes find QRadar rapid to deploy and benefit immediately with a better security posture. In addition to being effective at identifying threats, IBM QRadar includes common compliance reports for PCI, HIPAA, and other compliance regulations. The query and reporting engine is intuitive and makes forensic research fast and straight-forward. Even network administrators and security professionals at the start of their careers find it easy to use and manage QRadar. IBM i (AS/400, iseries) and the Special Challenge for SIEM Integration How can the IBM i server integrate effectively with IBM Security QRadar to provide superior system event monitoring and alerting? IBM i security events are stored in a special journal named QAUDJRN and the data in the journal is in an internal IBM format that is unintelligible to SIEM solutions like IBM Security QRadar. Additionally, there is no native syslog communications interface on the IBM i server to transmit events to the QRadar collector. These challenges can be daunting to most IBM i customers. The IBM i is a Data-rich Target for Cyber-criminals IBM i customers run a variety of back-office applications that are rich sources of Personally Identifiable Information (PII). Applications like Enterprise Resource Management (ERP), Customer Relationship Management (CRM), financial and HR applications, and many others contain sensitive information that is of high value to cyber-criminals. Because the IBM i server platform is so good at running many applications in one server instance, the IBM i represents a rich and valuable target for cyber-criminals. Page 2

Like all major operating systems the IBM i5/os operating system provides for highly privileged users. The QSECOFR user profile is the most sensitive profile with full privilege to all information and processes on the IBM i platform. However, special authorities such as All Object (*ALLOBJ) are often granted to other users which conveys the same level of privilege. Attackers often compromise a less privileged account and then attempt to escalate their privilege level to achieve access to sensitive information. In this regard the IBM i server is no different than a typical Windows or Linux server - the attack principles are the same. While the IBM i server is a legacy platform, IBM has enhanced this server with many modern open source applications that become potential attack points for hackers. These applications include the Apache web server, FTP, Secure Shell (OpenSSH) with sftp and command shell, Perl, PHP, Ruby, and many others. While these applications give the IBM i server many new capabilities, they also represent a new attack surface that must be managed and monitored. While these security challenges are not unique to the IBM i platform, the IBM i server presents unique challenges to SIEM solutions. Fortunately there are good solutions to help you meet these challenges and get the most value from your IBM Security QRadar investment. Townsend Security s Alliance LogAgent Solution Does the QRadar Integration for IBM i Users For over two decades Townsend Security has been a leader in IBM i security solutions. Recognizing the importance of active and continuous monitoring to a company s security strategy, in 2007 Townsend Security introduced Alliance LogAgent for the IBM i platform to provide SIEM integration. Approached by IBM in early 2015 to provide enhanced support for IBM security solutions, Townsend Security worked closely with the QRadar technical team to provide direct support for the Log Event Extended Format (LEEF) used by the QRadar SIEM, and to certify Townsend Security s solution with QRadar. In November IBM released the updated QRadar DSM support and Townsend Security released the new solution. IBM i users now have the best possible QRadar integration for their IBM i servers. Features and Benefits IBM Security QRadar works best when it gets real time security event notification, and Alliance LogAgent provides this real-time collection. Running in a background batch process reads events from the security audit journal QAUDJRN as they become available. There are no time-delayed batch operations and events are handled as they become available in the security journal. Real time event collection and processing is at the heart of. The internal event information is in IBM internal formats and unusable for any SIEM. extracts the relevant security information and converts it to the QRadar LEEF format. This normalizes the information into understandable fields for QRadar and compacts it to save network resources. Data in LEEF format is immediately recognizable by QRadar as actionable information. The security event is then transmitted to IBM Security QRadar using syslog communications provided by. Events are sequenced and delivery is guaranteed to insure that no events are lost. The communications interface is self-healing and restarts automatically in the event of a network failure or a maintenance window for QRadar. All events are directly processed to QRadar and there is no use of local IBM i storage or queuing. This protects and minimizes storage resources on the IBM i server. In addition to the IBM security audit journal, Alliance LogAgent for IBM QRadar collects events from the system history file QHST, from the system operator message file QSYSOPR or QSYSMSG, from multiple IBM i exit points, from open source applications like Apache and OpenSSH, and from user events created through LogAgent APIs. The result is the ability of IBM Security QRadar to see full activity on the IBM i in real time and provide deep security protection. The deployment of requires a few minutes to install and configure without the need for outside consultants or specialized expertise. IBM i customers start benefiting from better security in just minutes, not days or weeks! For IBM i customers who are not yet using a SIEM solution for active monitoring, Townsend Security can help arrange an evaluation of IBM Security QRadar and. Further Resources Product Web Page: Case Study: Boyd Gaming Collects IBM i Security Events with Podcast: Monitoring IBM i Logs with IBM Security QRadar Page 3

About Townsend Security Townsend Security creates data privacy solutions that help organizations meet evolving compliance requirements and mitigate the risk of data breaches and cyber-attacks. Over 3,000 companies worldwide trust Townsend Security s NIST-validated and FIPS 140-2 compliant solutions to meet the encryption and key management requirements in PCI DSS, HIPAA/HITECH, FISMA, GLBA/FFIEC, SOX, and other regulatory compliance requirements. We invite you to learn more about us and view comments on the latest happenings in the security and encryption space by going to our blog. Page 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback