IBM Security Network Protection Support Open Mic - Wednesday, 25 May 2016 IBM Threat Protection System: XGS - QRadar Integration Panelists Tanmay Shah - Presenter Level 2 Support Product Lead Danitza Villaran-Rokovich, Mike Heth Level 2 Support Jeffrey DiCostanzo AVP Leader Jonathan Pechta, Steven McKinney Knowledge Leaders Jack Cam - Moderator IBM Support Manager Michael Hunt Knowledge Management University Intern Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: 866-803-2145 USA toll: 1-210-795-1099 Participant passcode: 1322112 Slides and additional dial in numbers: https://ibm.biz/bd4bjd NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.
Agenda XGS-QRadar Integration Overview XGS LEEF Event Export XGS IPFIX Data Forwarding What is IPFIX? Differences between Netflow and IPFIX IPFIX Configuration XGS Configuration for Advanced Threat Integration Advanced Threat Policy Advanced Threat Agent Policy QRADAR Configuration for Advanced Threat Integration Example Use Case 2
XGS-QRadar Integration Overview
Integration Overview PREVENT DETECT RESPOND Two-way integration to detect, prevent and respond against advanced threats. XGS can be configured to send events in LEEF format over syslog through management interface. XGS can also be configured to send IPFIX flow data to QRadar through management interface. QRadar can send an IP address (source/destination) or a URI to XGS to quarantine for specific amount of time using the XGS Advanced Threat Protection agent. 4
Integration Overview Provided by XGS (within SSL Encrypted Traffic) Threat Detection Network & Virtual Activity Application Activity User Activity Data Activity Servers & Mainframes Event Correlation Activity Baselining & Anomaly Detection Offense Identification Configuration Info Vulnerability Info 5
XGS LEEF Event Export
XGS LEEF Event Export - Configuration Forward XGS events to QRadar using Remote Syslog object in Network Access Policy, Intrusion Prevention System and/or System Alert policies. 7
XGS LEEF Event Export Configuration continued QRadar automatically detects the events but you can configure the QRadar log source before setting up the forwarding on XGS to ensure that you do not miss ANY event. More information in our Jan-2016 open mic 8
XGS IPFIX Data Forwarding
IPFIX Integration What is IPFIX? What is a flow? A flow is different from an event, in that flows (for the most part) will have a start and end time, or a life of multiple seconds. For example, when you connect to a website, the communication will include HTML files, images, flash files, longer file downloads, etc, and may take some time to transfer the data. An Event, in contrast, represents a single event on the network, such as the login action of a VPN session or a firewall deny by someone trying to connect to a network IPFIX Internet Protocol Flow Information Export is an IETF protocol used for accounting (traffic mix and bandwidth usage). It was created based on a need for common, universal standard for exporting IP flow information from different network devices. This protocol defines the format of the flow information and a mechanism of transferring it from an exporter to a collector. 10
IPFIX Integration NetFlow vs IPFIX IPFIX is a standardized Netflow (Cisco proprietary) a universal standard which can be used by any vendor to export IP flow data. IPFIX allows vendor extensions and variable length fields, providing ability to collect more information and deeper insights than NetFlowv9. What do you get as part of XGS IPFIX? XGS IPFIX implementation forwards layer-7 information like, application and user names. Netflow, on other hand, can only give information up to layer-4. SSL Decryption capabilities on the XGS lets it identify the same information within ssl encrypted traffic and forward it to QRadar to add context. The user and application information sent by IPFIX allows you to identify application misuse. 11
IPFIX Integration What do you get? 12
IPFIX Integration Configuration on XGS 13
IPFIX Integration Configuration on QRadar (optional) To configure QRadar SIEM to accept IPFIX flow traffic, you must add a NetFlow flow source. The NetFlow flow source processes IPFIX flows by using the same process. The default flow source for netflow can automatically start collecting IPFIX data from XGS. 14
XGS Configuration for Advanced Threat Integration
Advanced Threat Policy Advanced Threat Policy defines how the XGS appliance will quarantine the traffic. It uses the alert information supplied by external agents. You can disable rules or modify responses in the policy so that XGS appliance responds to the alert data in a manner that is suitable for your network environment. QRadar Right-Click Plugin Alert Parse Alert Run through ATP Agent policy Create Event Create Quarantine System Alert Time Limited Blocking XGS ATP Agent The appliance translates an alert from QRadar into a set of active quarantine rules. Translation is based on matches for following attributes of an alert. Note that only one match is possible. Agent Type Alert Type Alert Severity When an alert matches a rule, the sensor uses each associated quarantine response object to create separate active quarantine rule. Sensor then enforces each active quarantine rule for the duration configured in the object. 16
Advanced Threat Policy continued The sensor applies active quarantine rules to quarantine traffic based on the following alert attributes. Victim IP Victim Port Intruder IP Intruder Port URL 17
Advanced Threat Policy continued Supported Alert Types and their Attributes It is an instance of an inprogress network attack attempt. A successful breach of security, currently active within the environment. It describes characteristics tied to an address or web URI and related to geography or observed content behaviour. It represents identified network weaknesses which, if successfully exploited, could result in Compromises. 18
Advance Threat Agent Policy The policy is used to define the advanced threat protection agent, i.e. QRadar console, to enable XGS to receive alerts. Reference Technote#1670272 19
QRadar Configuration for Advanced Threat Integration
QRadar Right-Click Plugin Installation Pre-requisite for plugin installation is QRadar Console version 7.2 MR1 and above. Plugin RPM can be downloaded from IBM Security License Key and Download Center. Copy the File on the appliance and run rpm -Uvh RightClick-ISNP-Alert-<version>.rpm. Edit the file /opt/isnp/isnp_alert.conf to enter the XGS appliance IP Address along with the username/password. To obfuscate password values use the command: /opt/isnp/isnp_alert.pl -C /opt/isnp/isnp_alert.conf -T encrypt To change the expired password or username/password user the command to de-obfuscate: /opt/isnp/isnp_alert.pl -C /opt/isnp/isnp_alert.conf -T decrypt Reference Technote#1670272, Also available on YouTube 21
QRadar Right-Click Plugin Configuration File arielrightclick.properties file located under /opt/qradar/conf directory has the plugin configuration which defines what parameters should be sent to XGS when right-clicking on a specific field on QRadar console. 22
Example Use Cases
What do you see, where on XGS & QRadar? 24
Use Case - 1 Note: This is just an example. In a real deployment, QRadar will collect information from a lot of other sources like firewalls, the webserver itself to correlate with all the information received by XGS 25
Use Case - 1 continued IPS Events for attacker activity XGS: 26
Use Case -1 continued QRadar Offense 27
Use Case 1 continued QRadar Offense Details 28
Use Case - 1 continued Open Event Details or Flow Details from the offense and Right-Click the source to quarantine the attacker. Compromise ATP event on XGS Quarantine rule 29
Use Case - 2 Note: This is just an example. In a real deployment, QRadar will collect information from a lot of other sources like firewalls, malware protection agents, antivirus etc. to correlate with all the information received from XGS. 30
Use Case - 2 continued Offense summary on QRadar 31
Use Case - 2 continued Offense details 32
Use Case - 2 continued Open the flow details and block the source port to quarantine the malware infected host 33
Use Case - 2 continued ATP Event on XGS Quarantine Rule on XGS 34
Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum on this topic: https://developer.ibm.com/answers/questions/267614/openmic-webcastannouncement-for-25-may-2016-advan.html 35
Where do you get more information? Questions on this or other topics can be directed to the product forum: https://developer.ibm.com/answers/topics/xgs/ More articles you can review: IBM developerworks articles: http://ibm.biz/isnp_atp_api IBM Knowledge Center: Qradar: http://www.ibm.com/support/knowledgecenter/ss42vs/welcome XGS: http://www.ibm.com/support/knowledgecenter/sshlhv/welcome Useful links: How to Contact IBM Software Support for IBM Security IBM Support Portal Sign up for My Notifications Follow us: 36
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOU www.ibm.com/security Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.