IBM Threat Protection System: XGS - QRadar Integration

Similar documents
XGS & QRadar Integration

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

Security Support Open Mic: ISNP High Availability and Bypass

XGS: Making use of Logs and Captures

Disk Space Management of ISAM Appliance

XGS Administration - Post Deployment Tasks

GX vs XGS: An administrator s comparison of the two products

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

Understanding scan coverage in AppScan Standard

Security Support Open Mic Build Your Own POC Setup

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

How to properly deploy, configure and upgrade the NAB

IBM Security Network Protection

Introduction to IBM Security Network Protection Manager

Configuring zsecure To Send Data to QRadar

Security Support Open Mic Client Certificate Authentication

IBM Security Access Manager v8.x Kerberos Part 2

ISAM Advanced Access Control

IBM Security Network Protection Solutions

Junction SSL Debugging With Wireshark

What's new in AppScan Standard/Enterprise/Source version

Deploying BigFix Patches for Red Hat

IBM MaaS360 Kiosk Mode Settings

Remote Syslog Shipping IBM Security Guardium

Let s Talk About Threat Intelligence

IBM Security Directory Server: Utilizing the Audit.log

IBM Security Support Open Mic

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

Analyzing Hardware Inventory report and hardware scan files

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

How AppScan explores applications with ABE and RBE

IBM BigFix Relays Part 2

QRadar Feature Discussion IBM SECURITY SUPPORT OPEN MIC

Configuring your policy to prevent appliance problems

Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

Predators are lurking in the Dark Web - is your network vulnerable?

How to Secure Your Cloud with...a Cloud?

Integrated, Intelligence driven Cyber Threat Hunting

Security Update PCI Compliance

What's new in AppScan Standard version

Optimizing IBM QRadar Advisor with Watson

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

BigFix Query Unleashed!

IBM Security Identity Manager New Features in 6.0 and 7.0

IBM Security Guardium: : Sniffer restart & High CPU correlation alerts

HTTP Transformation Rules with IBM Security Access Manager

More on relevance checks in ILMT and BFI

Let s talk about QRadar 7.2.5

IBM Next Generation Intrusion Prevention System

May the (IBM) X-Force Be With You

Fabrizio Patriarca. Come creare valore dalla GDPR

Ponemon Institute s 2018 Cost of a Data Breach Study

IBM Security QRadar SIEM Version Getting Started Guide

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

QRadar Open Mic: Custom Properties

IBM Security Access Manager Single Sign-on with Federation

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

IBM Security Guardium: Troubleshooting No Traffic Issues

IBM Security QRadar Version Architecture and Deployment Guide IBM

The McGill University Health Centre (MUHC)

Interpreting relevance conditions in commonly used ILMT/BFI fixlets

IBM C IBM Security Network Protection (XGS) V5.3.2 System Administration.

IBM Security Network Protection v Enhancements

IBM Lotus Notes in XenApp Environments

Securing global enterprise with innovation

IBM BigFix Relays Part 1

Compare Security Analytics Solutions

IBM BigFix Client Reporting: Process, Configuration, and Troubleshooting

Be effective in protecting against the cybercrime

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

ForeScout App for IBM QRadar

BigFix 101- Server Pricing

We will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {

InfoSphere Guardium 9.1 TechTalk Reporting 101

The New Era of Cognitive Security

WebSphere Commerce Developer Professional

IBM Security Identity Governance and Intelligence Clustering and High Availability

Open Mic Webcast: Troubleshooting freetime (busytime) issues in Lotus Notes

CIS Controls Measures and Metrics for Version 7

IBM Security Network Protection Solutions

Managed Security Services - Endpoint Managed Security on Cloud

Combatting advanced threats with endpoint security intelligence

ForeScout Extended Module for Carbon Black

IBM Security QRadar. Vulnerability Assessment Configuration Guide. January 2019 IBM

Cisco & IBM Security SECURING THE THREATS OF TOMORROW, TODAY, TOGETHER

NetFlow Traffic Analyzer

CIS Controls Measures and Metrics for Version 7

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

NetFlow Traffic Analyzer

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

We will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {

Subscriber Data Correlation

Securing Your Environment with Dell Client Manager and Symantec Endpoint Protection

Integrating Microsoft Forefront Threat Management Gateway (TMG)

IBM Security QRadar SIEM Version Getting Started Guide IBM

Service Description. IBM Aspera Files. 1. Cloud Service. 1.1 IBM Aspera Files Personal Edition. 1.2 IBM Aspera Files Business Edition

RSA Security Analytics

Security Intelligence Overview

IBM Security Vaš digitalni imuni sistem. Dejan Vuković Security BU Leader South East Europe IBM Security

Accelerating growth and digital adoption with seamless identity trust

Transcription:

IBM Security Network Protection Support Open Mic - Wednesday, 25 May 2016 IBM Threat Protection System: XGS - QRadar Integration Panelists Tanmay Shah - Presenter Level 2 Support Product Lead Danitza Villaran-Rokovich, Mike Heth Level 2 Support Jeffrey DiCostanzo AVP Leader Jonathan Pechta, Steven McKinney Knowledge Leaders Jack Cam - Moderator IBM Support Manager Michael Hunt Knowledge Management University Intern Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: 866-803-2145 USA toll: 1-210-795-1099 Participant passcode: 1322112 Slides and additional dial in numbers: https://ibm.biz/bd4bjd NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

Agenda XGS-QRadar Integration Overview XGS LEEF Event Export XGS IPFIX Data Forwarding What is IPFIX? Differences between Netflow and IPFIX IPFIX Configuration XGS Configuration for Advanced Threat Integration Advanced Threat Policy Advanced Threat Agent Policy QRADAR Configuration for Advanced Threat Integration Example Use Case 2

XGS-QRadar Integration Overview

Integration Overview PREVENT DETECT RESPOND Two-way integration to detect, prevent and respond against advanced threats. XGS can be configured to send events in LEEF format over syslog through management interface. XGS can also be configured to send IPFIX flow data to QRadar through management interface. QRadar can send an IP address (source/destination) or a URI to XGS to quarantine for specific amount of time using the XGS Advanced Threat Protection agent. 4

Integration Overview Provided by XGS (within SSL Encrypted Traffic) Threat Detection Network & Virtual Activity Application Activity User Activity Data Activity Servers & Mainframes Event Correlation Activity Baselining & Anomaly Detection Offense Identification Configuration Info Vulnerability Info 5

XGS LEEF Event Export

XGS LEEF Event Export - Configuration Forward XGS events to QRadar using Remote Syslog object in Network Access Policy, Intrusion Prevention System and/or System Alert policies. 7

XGS LEEF Event Export Configuration continued QRadar automatically detects the events but you can configure the QRadar log source before setting up the forwarding on XGS to ensure that you do not miss ANY event. More information in our Jan-2016 open mic 8

XGS IPFIX Data Forwarding

IPFIX Integration What is IPFIX? What is a flow? A flow is different from an event, in that flows (for the most part) will have a start and end time, or a life of multiple seconds. For example, when you connect to a website, the communication will include HTML files, images, flash files, longer file downloads, etc, and may take some time to transfer the data. An Event, in contrast, represents a single event on the network, such as the login action of a VPN session or a firewall deny by someone trying to connect to a network IPFIX Internet Protocol Flow Information Export is an IETF protocol used for accounting (traffic mix and bandwidth usage). It was created based on a need for common, universal standard for exporting IP flow information from different network devices. This protocol defines the format of the flow information and a mechanism of transferring it from an exporter to a collector. 10

IPFIX Integration NetFlow vs IPFIX IPFIX is a standardized Netflow (Cisco proprietary) a universal standard which can be used by any vendor to export IP flow data. IPFIX allows vendor extensions and variable length fields, providing ability to collect more information and deeper insights than NetFlowv9. What do you get as part of XGS IPFIX? XGS IPFIX implementation forwards layer-7 information like, application and user names. Netflow, on other hand, can only give information up to layer-4. SSL Decryption capabilities on the XGS lets it identify the same information within ssl encrypted traffic and forward it to QRadar to add context. The user and application information sent by IPFIX allows you to identify application misuse. 11

IPFIX Integration What do you get? 12

IPFIX Integration Configuration on XGS 13

IPFIX Integration Configuration on QRadar (optional) To configure QRadar SIEM to accept IPFIX flow traffic, you must add a NetFlow flow source. The NetFlow flow source processes IPFIX flows by using the same process. The default flow source for netflow can automatically start collecting IPFIX data from XGS. 14

XGS Configuration for Advanced Threat Integration

Advanced Threat Policy Advanced Threat Policy defines how the XGS appliance will quarantine the traffic. It uses the alert information supplied by external agents. You can disable rules or modify responses in the policy so that XGS appliance responds to the alert data in a manner that is suitable for your network environment. QRadar Right-Click Plugin Alert Parse Alert Run through ATP Agent policy Create Event Create Quarantine System Alert Time Limited Blocking XGS ATP Agent The appliance translates an alert from QRadar into a set of active quarantine rules. Translation is based on matches for following attributes of an alert. Note that only one match is possible. Agent Type Alert Type Alert Severity When an alert matches a rule, the sensor uses each associated quarantine response object to create separate active quarantine rule. Sensor then enforces each active quarantine rule for the duration configured in the object. 16

Advanced Threat Policy continued The sensor applies active quarantine rules to quarantine traffic based on the following alert attributes. Victim IP Victim Port Intruder IP Intruder Port URL 17

Advanced Threat Policy continued Supported Alert Types and their Attributes It is an instance of an inprogress network attack attempt. A successful breach of security, currently active within the environment. It describes characteristics tied to an address or web URI and related to geography or observed content behaviour. It represents identified network weaknesses which, if successfully exploited, could result in Compromises. 18

Advance Threat Agent Policy The policy is used to define the advanced threat protection agent, i.e. QRadar console, to enable XGS to receive alerts. Reference Technote#1670272 19

QRadar Configuration for Advanced Threat Integration

QRadar Right-Click Plugin Installation Pre-requisite for plugin installation is QRadar Console version 7.2 MR1 and above. Plugin RPM can be downloaded from IBM Security License Key and Download Center. Copy the File on the appliance and run rpm -Uvh RightClick-ISNP-Alert-<version>.rpm. Edit the file /opt/isnp/isnp_alert.conf to enter the XGS appliance IP Address along with the username/password. To obfuscate password values use the command: /opt/isnp/isnp_alert.pl -C /opt/isnp/isnp_alert.conf -T encrypt To change the expired password or username/password user the command to de-obfuscate: /opt/isnp/isnp_alert.pl -C /opt/isnp/isnp_alert.conf -T decrypt Reference Technote#1670272, Also available on YouTube 21

QRadar Right-Click Plugin Configuration File arielrightclick.properties file located under /opt/qradar/conf directory has the plugin configuration which defines what parameters should be sent to XGS when right-clicking on a specific field on QRadar console. 22

Example Use Cases

What do you see, where on XGS & QRadar? 24

Use Case - 1 Note: This is just an example. In a real deployment, QRadar will collect information from a lot of other sources like firewalls, the webserver itself to correlate with all the information received by XGS 25

Use Case - 1 continued IPS Events for attacker activity XGS: 26

Use Case -1 continued QRadar Offense 27

Use Case 1 continued QRadar Offense Details 28

Use Case - 1 continued Open Event Details or Flow Details from the offense and Right-Click the source to quarantine the attacker. Compromise ATP event on XGS Quarantine rule 29

Use Case - 2 Note: This is just an example. In a real deployment, QRadar will collect information from a lot of other sources like firewalls, malware protection agents, antivirus etc. to correlate with all the information received from XGS. 30

Use Case - 2 continued Offense summary on QRadar 31

Use Case - 2 continued Offense details 32

Use Case - 2 continued Open the flow details and block the source port to quarantine the malware infected host 33

Use Case - 2 continued ATP Event on XGS Quarantine Rule on XGS 34

Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum on this topic: https://developer.ibm.com/answers/questions/267614/openmic-webcastannouncement-for-25-may-2016-advan.html 35

Where do you get more information? Questions on this or other topics can be directed to the product forum: https://developer.ibm.com/answers/topics/xgs/ More articles you can review: IBM developerworks articles: http://ibm.biz/isnp_atp_api IBM Knowledge Center: Qradar: http://www.ibm.com/support/knowledgecenter/ss42vs/welcome XGS: http://www.ibm.com/support/knowledgecenter/sshlhv/welcome Useful links: How to Contact IBM Software Support for IBM Security IBM Support Portal Sign up for My Notifications Follow us: 36

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback