Presentation about evolution of best in SIEM / Security intelligence market - IBM Qradar and its newest and latest features presented by Certified Qradar Expert Arturs Garmasovs of DSS.LV.

1. Data Security Solutions
Qradar Latest Features
Artūrs Garmašovs
2016
Riga, Latvia

2. New Feature Overview
QRadar SIEM/LM 7.2.5 - 7.2.6

3. • API Updates
• Historical Correlation
• Overlapping IP Support in SIEM
• Support LDAP Authorization
• Deployment Actions from System Management
• GetLogs in the UI
• Enterprise Ready Reporting
• Patch Rollback Framework
• Factory Re-install, new ‘retain’ option to preserve /store
• Miscellaneous Clean Up
• Security Updates
• Offense (CRE) Count Resets
• Password Storage Enhancement
New Features in Qradar 7.2.5
Vulnerability
Manager
Risk
Manager
SIEM
Incident
Forensics

4. • API Updates
• Historical Correlation Updates
• Multitenancy and Tenant Administration
• Super indexes
• License enhancements (give back)
• Data Obfuscation user interface
• Custom rule actions / scripts
• New Custom Rule Tests
• Deployment Editor
• Multiple Email Templates
• Log Activity and Network Activity user interface enhancements
• Reference Set Updates
• Deletion Framework
• Security updates
• Extensions Management
• IBM Security X-Force App Exchange
New Features in Qradar 7.2.6
Vulnerability
Manager
Risk
Manager
SIEM
Incident
Forensics

5. Historical Correlation
Historical correlation brings the power of QRadar’s
real-time correlation engine to the historical domain,
offering users the ability to replay data through
powerful correlations to surfaces new and timely
insights.
Historical Correlation targets three main use cases:
 Correlation of security events on device time rather
than collection time, allowing QRadar to unwind
bulk loaded data sets.
 Discover previously hidden IOCs, threats and
incidents as new threat intelligence becomes
available.
 Tune new threat detection and security policies
against historical data.

6. Historical Correlation
 Historical Correlation enables customers to perform rerun past events and flows through
the custom rules engine
– Events can be correlated by ‘start time’ or ‘device time’
– Flows only correlated by ‘start time’
 Historical Correlation is enabled by
creating a Historical Correlation Profile
– Profiles contain the configuration
parameters that are used for historical
correlation
 Where?
– Offenses > Rules > Actions > Historical Correlation
– Log Activity > Actions > Historical Correlation
– Network Activity > Actions > Historical Correlation
– Ariel searches only search on Start Time (not device time)

7. Historical Correlation profiles can be created by selecting Add:
– Event Profile
•To create an event historical correlation profile
– Flow Profile
•To create a flow historical correlation profile
Using Historical Correlation

8. Using Historical Correlation – Event Profile

9. Using Historical Correlation – Event Profile (Continued)
Historical Correlation must be configured with the following information:
1. Saved Search - Choose a search from the drop-down of Saved
Searches.
2. Rules
1.Can choose to run on all rules, or select one or more specific rules
to run
2. Can choose to correlate Events by:
• Device Time
• Start Time
3. Schedule - Choose to schedule manually or repeat based on an
Hourly, Daily, Weekly, or Monthly frequency.

10. When a Historical Correlation is run, events that meet the included
rule(s) create historical correlation offenses, which are identified by the
clock icon.
Using Historical Correlation – Viewing Results

11. Domain Management (Domain Segmentation) allows QRadar administrators to define what
data belongs in a domain. Domains can be used to differentiate flow and event data with
the same IP address by ‘domain’ as created by the administrator.
Domains’ can also be used in security profiles to segment users are only allowed to see
specific data sources within their domain.
is it?
Admin tab > System Configuration > Domain Management
define a domain?
Domain creation can be based on one or more of the following criteria:
– Custom Property Value (RegEx)
– Log Source/Log Source Group
– Event Collector
– Flow Source
– Scanners
Overlapping IP Support in SIEM / Domain Management

12. New Domain – Events by Log Source or Log Source Group

13. QRadar SEIM offenses are now domain aware:
– The domain of the offense will be displayed on the offense list
– You can sort on the domain of the offense by clicking on the domain
header The default domain does NOT sort based on alphabetical
order, however it will
be displayed at the top or bottom of the sorted list in ascending or
descending order
– Domain can be filtered on the offense search screen
Domain Offenses

14.  get_logs.sh is a shell script used to collect logs. End users have to ssh to Console or
MH, run the script, and ftp the result file to a client machine and upload it to PMR.
 From 7.2.5, end users would be able to kick off a log collection task and download the
result file from web browser after receiving a notification on dashboard when the task
complete.
– Users don't need root access to Console and switch back and forth between
server and client.
– Users can stay on UI and continue their work while logs are being collected
which may take as long as a few minutes.
 Log Collection UI is available in System and License Management page for admin user.
– Only one Log Collection is allowed to run at any time.
– You can cancel a running get_logs request from x button in the status bar.
– The result file is located under /store/LOGS and get_logs.sh will automatically
clean up files that's older than 90 days.
GetLogs in the UI

15. Admin tab > System and License Management > Actions > Collect Log Files.

16. The System and License Management screen status bar informs administrators that
log files are being collected:
– Collection can be canceled by clicking the red X
– When the collection is finished, a download link will appear

17. Introducing Multitenancy/ Tenant Management
The concept of Tenant administration (Multi-tenancy) is introduced in 7.2.6. For Managed
Service teams: Tenants = Individual Customer

18. QRadar
TenantA Tenant B
Multi-tenancy
An administrator must create tenants, then use the Domain Management
screen to assign one or more domains to the tenant.

19. Tenant Capabilities
 A tenant has one or more domains – allows to support customers who require more
than one domain
 A tenant’s EPS or FPM limits can be managed – allows to better manage their license
capacities.

20. Tenant Administration
 A tenant can manage their own Network Hierarchy – Establishes a foundation to
empower the customer to become more self-sufficient from an administrative
standpoint
 A tenant can also manage their Centralized Credentials – credentials required for
vulnerability scans
 A tenant can also view their own log sources

21. Indexes in QRadar 7.2.5 and below are created based on minute-by-minute data. In
QRadar 7.2.6, we introduce the concept of Super indexes.
How it works
After upgrading to QRadar 7.2.6, the system still creates minute-by-minute indexes in ariel.
At 20 minutes past each hour, the system reads the indexes in to memory and converts the
existing index to a super index. These super indexes are a rollup for the previous hour and
optimized for performance.
This new index format increases indexed data searches by almost 10x for indicator of
compromise (IOC) type searches. Some examples of IOC type searches are searches on
IP address, domain and host name. All new data that is received by QRadar is
automatically indexed in the new format.
Note: This feature does not apply to the Quick Filter’s Full Payload Indexing, but indexed
values in the Index Management interface.
Search Performance – Super Indexes

22. Data Obfuscation
Data obfuscation offers QRadar
administrators the ability to strategically
“hide” and restrict visibility to data within their
deployment.
Obfuscation occurs within the data records
themselves to ensure that the content is
never compromised. Data is only reverted to
original form for presentation in the UI if the
keys are provided by the user
The most common use of data obfuscation is
to hide sensitive information such as PII or
PHI (social insurance numbers, usernames,
credit card numbers, etc)

23. Data Obfuscation – 3 Easy Steps…
1. Launch Data
Obfuscation
Management
2. Configure a data
obfuscation profile
3. Configure each
obfuscation expression

24. Data Obfuscation – Voila!

25. Custom Defined Action from a Rule
QRadar 7.2.6 introduces the idea of Custom Actions, which allow administrators to
pass data to a script based off of a rule response in QRadar. This feature can be used
to extend rules from QRadar to outside security devices or systems.
For example, a script that updates firewall rule can block a source IP address in
response to a rule that is triggered by a defined number of failed login attempts.
Where?
Admin tab > Custom Actions > Define Actions.

26.  Custom Actions are executed in a “jailshell” in order to protect QRadar
from possible exploits.
 Management Screens allow for easy configuration and validation of
custom actions before they are placed into production
Custom Defined Action from a Rule

27. Custom Action Properties
 Basic Information
• Name
• Description
 Script Configuration
• Interpreter
– Bash, Perl, Python
• Script File
–The actual script you will run
 Script Parameters
• Fixed Property
–Enter a static Parameter that will be passed to your script
• Network Event Property
–A property of a network event (common event and flow
properties) can be dynamically passed to your script, this would
be pulled from the event or flow that triggered the rule.
Custom Defined Action from a Rule

28. Custom Defined Action from a Rule
Custom Actions can be added as rule responses in the Rule Wizard
Answer:

29. • Sharing and collaboration of
product apps and content
• Use-case driven apps
• Visualizations and reports
• Rules and responses
• Third-party extensions
• Automated responses
• Best practices
IBM QRadar Security Intelligence Platform
IBM Security App Exchange - Enabling complete
cooperative defense
NEW
IBM Security App Exchange
• Address time and skills shortages
impacts to your organization
• Be more response to new needs,
technologies, and threats with best
practice solutions
• Leverage the power and knowledge
of the QRadar Community
• Easy to use, fast to consume use
cases and visualizations

30. IBM Security App Exchange
QRadar 7.2.6 introduces the feature for a Security App Exchange.
 What is an App?
– Small plug-in modules to QRadar.
– From within a secure container, App server data from endpoints, injecting content
directly into the standard QRadar User Interface.
– Applications are installed as extensions through Extension Management.
 Application Framework allows:
– Users to install applications from the X-Force App Exchange website.
– Users can install custom applications created in house or by IBM/IBM partners/IBM
Professional services.
 Applications can contain:
– New content, such as Dashboards, customized tabs, and more.
– New screens for interacting with QRadar
 Applications can be downloaded through the IBM Security App Exchange
 App Exchange is available through “IBM Security App Exchange” on the Extensions
Management toolbar.

31. IBM Security App Exchange
Side bar allows you to quick filter.
Sort by:
• Apps
• Custom Properties
• Custom Rule
• Dashboard
• Reference data
• Saved Searches
• And more…

32. Content Packs
Content Pack Status Description
IBM Security
Anomaly Content
Released These rules focus on anomaly detection
• 19 rules and building block
IBM Security
Compliance
Content
Released These rules and reports focus on general compliance and policy
controls
• 4 custom event properties
• 49 event and flow searches related to monitoring compliance..
• 153 reports related to monitoring compliance.
• 140 rules and building blocks related to monitoring compliance.
• 10 reference data sets related to monitoring server types for
compliance purposes.
IBM Security
Intrusion Content
Released These rules focus on detection of intrusions and post-intrusion activity.
• 72 rules and building blocks
• 1 reference data set for
IBM Security
GPG13 Content
Pending Content focused on the Good Practice Guide 13 standard.
• 98 rules and building blocks
• 31 event and flow searches
• 29 reports

33. Content Packs
Content Pack Status Description
IBM Security
Reconnaissance
Content
Released Content focused on detection of reconnaissance activity within your
enterprise
• 104 rules and building blocks
• 10 reference sets
IBM Security
Threat Content
Released These rules focus on threat indicators and integration with threat
intelligence feeds
• 114 rules building blocks
• 2 custom event properties for identifying URLs,
• 10 reference sets,
IBM Security ISO
27001 Content
Released These rules and reports focus on ISO standard for information security
management or 27001 compliance and policy controls.
• 35 rules and building blocks
• 4 event properties
• 29 event searches
• 77 reports

34. Contact UsArtūrs Garmašovs
agarmasovs@dss.lv
Mobile
Riga, Latvia
www.dss.lv
LinkedIn: http://ow.ly/FAflz
Twitter: http://ow.ly/FAfv0
Facebook:http://ow.ly/FAfzZ
Youtube: http://ow.ly/FAfEN
SlideShare: http://ow.ly/FAfHd

35. Think Security First
Thank you