White Paper Simplifying Security for IBM i and IBM Security QRadar www.townsendsecurity.com 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 800.357.1019 fax 360.357.9047 www.townsendsecurity.com
Overview Actively monitoring system logs is one of the most effective security tools any organization can deploy. But there are many challenges facing an organization deploying one of the many SIEM solutions for active monitoring. SIEM solutions can be complex to install, configure, deploy and manage. IBM Security QRadar has dramatically reduced the effort required to deploy an effective SIEM solution. Until now IBM i (AS/400, iseries) users faced extensive challenges in integrating their IBM servers with QRadar. In a new offering for IBM i customers Townsend Security makes integration with QRadar simple, fast and inexpensive. Customers can rapidly experience success and better security with Townsend Security s Alliance LogAgent for IBM QRadar solution. This paper explores the security benefits of the combined IBM and Townsend solutions. Continuous, Active Monitoring is a Key Security Control In any list of the Top 10 security controls recommended by security professionals you will always find the recommendation to collect and actively monitor system logs. It is easy to see why this is the case - the vast majority of data breaches could have been prevented by early detection. Forensic investigations have consistently shown that system logs contained all of the information needed to detect and prevent a breach. Monitoring system logs and taking early action is one of the most effective ways of preventing a breach. So why aren t we doing a better job? A part of the answer is that the volume of information in system logs is much larger than can be handled by humans. The modern Enterprise may have dozens, or hundreds, or even thousands of servers and PCs on their network. Every one of these systems generates a large number of system log events. The number of events can reach into the millions on any given day. It is just not humanly possible to review and monitor all of these system and security events. The only way to effectively monitor system logs is to deploy specialized applications that does this for us. These applications are called Security Information and Event Management, or SIEM, solutions. These solutions collect system logs in a central repository, inspect them for suspicious activity, and alert us when an attack is detected. All of this is done in real time using efficient and capable software. When deployed properly SIEM solutions are a crucial part of your security strategy. IBM Security QRadar is the solution provided by IBM and is ranked as a leader and visionary by Gartner. The Hidden Pain Point in SIEM Active Monitoring Solutions While SIEM solutions perform functions that humans can t do on their own, they often take a lot of work to install, configure, and deploy. With hundreds of different types of devices to monitor, it can be laborious to train the SIEM solution to understand events from all of these devices. Your devices may include firewalls, network switches, PCs, servers with many different operating systems, business applications, web servers and applications, and many, many more. Configuring your SIEM solution to recognize and categorize all of these events is a gargantuan task. Many customers report that it takes months or even years to configure their SIEM solution properly. IBM Security QRadar helps solve this problem by delivering event configurations that are ready to use right out of the box. With support for more than 250 common devices, most QRadar customers can deploy the solution and start realizing the benefits immediately. IBM calls these ready-touse configurations Device Support Modules, or DSMs. Do you have a 3Com Model 8800 switch? There s a DSM for that and IBM QRadar will automatically recognize events from this unit. Pre-configured support for a wide variety of devices means that IBM Security QRadar customers eliminate a lot of the up-front configuration time and start reaping the benefits of log collection and active monitoring very quickly. Townsend Security worked closely with the IBM Security QRadar development team to incorporate support for IBM i security events using their Alliance LogAgent for IBM QRadar solution. The TownsendSecurity solution collects IBM i security events in real time, converts them to IBM QRadar Log Event Extended Format (LEEF) and transmits them to IBM Security QRadar. Alliance LogAgent for IBM QRadar is matched by the QRadar DSM support that is a part of the QRadar solution. Townsend Security is an IBM certified Ready For IBM Security Intelligence (RFISI) partner. Page 1
Ease of Use as a Part of the Security Posture The other big challenge with deploying SIEM solutions is ease of use. Security events are, by nature, complex. The information and formats vary widely and this can make using a SIEM solution daunting. If installing, configuring, deploying, and maintaining your SIEM solution involves a number of complex tasks, this will slow the deployment and increase the costs of the solution. Many IT professionals are responsible for a number of security applications and the complexity of a SIEM solution can be a large burden and have a direct impact on the effectiveness of your security. Another challenge to SIEM users involves the handling of false positives and false negatives. It is inevitable that a SIEM solution will miss an important security event, or it will generate an alarm for an event that is not truly a security problem. If the number of false positives and false negatives is large it can overwhelm the IT team with unnecessary work. IBM Security QRadar mitigates these problems by providing an easy-to-use interface for configuration and deployment. Many IT professionals report that they were able to deploy the QRadar solution without additional training, and that the number of false positives and false negatives remained manageable. IBM Security QRadar learns from your IT team which events can be ignored and which are important. The more information it processes the better it becomes at detecting anomalies that are of concern, and ignoring routine events that do not represent a threat. The IBM Security QRadar format for security events is called the Log Event Extended Format, or LEEF. It provides a common and normalized way for devices to report events in a consistent manner. When QRadar receives data in the LEEF format it immediately knows how to interpret the contents of the message. For example, it doesn t have to guess the source IP address for an event, it will be in the src=1.1.1.1 field and immediately recognizable. Is malware on a user PC attacking your internal business services? QRadar can find it fast. Townsend Security s solution puts all IBM i security journal events in LEEF format to make QRadar more effective. How IBM Security QRadar Helps Meet the Challenge By providing superior security event monitoring and alerting in an easyto-install and easy-to-use package, IBM Security QRadar has earned a top rating by Gartner in the SIEM magic quadrant. Organizations of all sizes find QRadar rapid to deploy and benefit immediately with a better security posture. In addition to being effective at identifying threats, IBM QRadar includes common compliance reports for PCI, HIPAA, and other compliance regulations. The query and reporting engine is intuitive and makes forensic research fast and straight-forward. Even network administrators and security professionals at the start of their careers find it easy to use and manage QRadar. IBM i (AS/400, iseries) and the Special Challenge for SIEM Integration How can the IBM i server integrate effectively with IBM Security QRadar to provide superior system event monitoring and alerting? IBM i security events are stored in a special journal named QAUDJRN and the data in the journal is in an internal IBM format that is unintelligible to SIEM solutions like IBM Security QRadar. Additionally, there is no native syslog communications interface on the IBM i server to transmit events to the QRadar collector. These challenges can be daunting to most IBM i customers. The IBM i is a Data-rich Target for Cyber-criminals IBM i customers run a variety of back-office applications that are rich sources of Personally Identifiable Information (PII). Applications like Enterprise Resource Management (ERP), Customer Relationship Management (CRM), financial and HR applications, and many others contain sensitive information that is of high value to cyber-criminals. Because the IBM i server platform is so good at running many applications in one server instance, the IBM i represents a rich and valuable target for cyber-criminals. Page 2
Like all major operating systems the IBM i5/os operating system provides for highly privileged users. The QSECOFR user profile is the most sensitive profile with full privilege to all information and processes on the IBM i platform. However, special authorities such as All Object (*ALLOBJ) are often granted to other users which conveys the same level of privilege. Attackers often compromise a less privileged account and then attempt to escalate their privilege level to achieve access to sensitive information. In this regard the IBM i server is no different than a typical Windows or Linux server - the attack principles are the same. While the IBM i server is a legacy platform, IBM has enhanced this server with many modern open source applications that become potential attack points for hackers. These applications include the Apache web server, FTP, Secure Shell (OpenSSH) with sftp and command shell, Perl, PHP, Ruby, and many others. While these applications give the IBM i server many new capabilities, they also represent a new attack surface that must be managed and monitored. While these security challenges are not unique to the IBM i platform, the IBM i server presents unique challenges to SIEM solutions. Fortunately there are good solutions to help you meet these challenges and get the most value from your IBM Security QRadar investment. Townsend Security s Alliance LogAgent Solution Does the QRadar Integration for IBM i Users For over two decades Townsend Security has been a leader in IBM i security solutions. Recognizing the importance of active and continuous monitoring to a company s security strategy, in 2007 Townsend Security introduced Alliance LogAgent for the IBM i platform to provide SIEM integration. Approached by IBM in early 2015 to provide enhanced support for IBM security solutions, Townsend Security worked closely with the QRadar technical team to provide direct support for the Log Event Extended Format (LEEF) used by the QRadar SIEM, and to certify Townsend Security s solution with QRadar. In November IBM released the updated QRadar DSM support and Townsend Security released the new solution. IBM i users now have the best possible QRadar integration for their IBM i servers. Features and Benefits IBM Security QRadar works best when it gets real time security event notification, and Alliance LogAgent provides this real-time collection. Running in a background batch process reads events from the security audit journal QAUDJRN as they become available. There are no time-delayed batch operations and events are handled as they become available in the security journal. Real time event collection and processing is at the heart of. The internal event information is in IBM internal formats and unusable for any SIEM. extracts the relevant security information and converts it to the QRadar LEEF format. This normalizes the information into understandable fields for QRadar and compacts it to save network resources. Data in LEEF format is immediately recognizable by QRadar as actionable information. The security event is then transmitted to IBM Security QRadar using syslog communications provided by. Events are sequenced and delivery is guaranteed to insure that no events are lost. The communications interface is self-healing and restarts automatically in the event of a network failure or a maintenance window for QRadar. All events are directly processed to QRadar and there is no use of local IBM i storage or queuing. This protects and minimizes storage resources on the IBM i server. In addition to the IBM security audit journal, Alliance LogAgent for IBM QRadar collects events from the system history file QHST, from the system operator message file QSYSOPR or QSYSMSG, from multiple IBM i exit points, from open source applications like Apache and OpenSSH, and from user events created through LogAgent APIs. The result is the ability of IBM Security QRadar to see full activity on the IBM i in real time and provide deep security protection. The deployment of requires a few minutes to install and configure without the need for outside consultants or specialized expertise. IBM i customers start benefiting from better security in just minutes, not days or weeks! For IBM i customers who are not yet using a SIEM solution for active monitoring, Townsend Security can help arrange an evaluation of IBM Security QRadar and. Further Resources Product Web Page: Case Study: Boyd Gaming Collects IBM i Security Events with Podcast: Monitoring IBM i Logs with IBM Security QRadar Page 3
About Townsend Security Townsend Security creates data privacy solutions that help organizations meet evolving compliance requirements and mitigate the risk of data breaches and cyber-attacks. Over 3,000 companies worldwide trust Townsend Security s NIST-validated and FIPS 140-2 compliant solutions to meet the encryption and key management requirements in PCI DSS, HIPAA/HITECH, FISMA, GLBA/FFIEC, SOX, and other regulatory compliance requirements. We invite you to learn more about us and view comments on the latest happenings in the security and encryption space by going to our blog. Page 4