Let s talk about assets in QRadar

QRadar Open Mic Webcast #7 January 28, 2015 Let s talk about assets in QRadar Panelists Dwight Spencer Principal Solutions Architect & Co-founder of Q1 Labs Adam Frank Principal Solutions Architect Brad Morris Technical Lead for QRadar Assets and Reference Sets Chris Collins Team Lead, QRadar Integration Services and Maintenance Michael Jewett Software developer for Level 3 engineering Jonathan Pechta Support Technical Writer Mark Wright QRadar L2 Support Manager Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA: 866-803-2145 Canada: 866-845-8496 Participant passcode: 9348947 Slides and Global dial-in numbers: http://bit.ly/ibmoepnmicqr7doc NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call. 1 2012 IBM Corporation

Why is asset data important? The ability to identify and understand how assets are being used in your network is critical to security. Not just for detecting devices, but building a dataset of historical information about assets and being able to track asset information across your network as it changes. The goal of asset profiles is to bring all the information known about the assets in your network and update the data as new information is provided to QRadar. This allows administrators to more effectively report on, search, audit, and leverage rules to identify threats, vulnerabilities, and asset usage with relevant data. 2

3 IBM Security Systems Sources of asset information The following sources provide QRadar with asset information: Identity events - Common event sources for identity data: Operating system events (Windows, Linux, Mac, UNIX) DHCP events (routers, switches) Identity management systems Authentication events (access points) Firewalls with VPN services Vulnerability scans either active scans or scan imports add new assets discovered based on the CIDR ranges defined during the scan. Importing asset information from the Assets tab (IP, Name, Weight, and description). DNS lookups Flow data (bi-directional) provides host profile information for IP address, port information, and applications. Server discovery leverages this information along with scan data to group servers in to building blocks that can be leveraged later on in rules.

Asset reconciliation (how assets are updated) Assets are assigned a unique identifier, which is leveraged by the system to determine when an update (merge) is required of new data or if a new asset needs to be created. The asset profiler uses specific identity fields to perform the reconciliation. Asset reconciliation uses multiple keys to identify key questions: What asset is the owner of this data? The asset profiler prioritizes asset identity in the following order when multiple pieces of information is provided: 1. MAC Address (most deterministic) 2. NetBIOS Hostname 3. DNS Hostname 4. IP Address (least deterministic) 4

Asset reconciliation (continued) Asset reconciliation allows QRadar to provide ongoing relevant asset data and track history of an asset for more detailed auditing. A basic example of asset reconciliation: 1. Examine the data for identifiers in the update to the database of existing assets and find a match. 2. If the update contained a known MAC, NetBIOS, or DNS Hostname, then update values and populate any new data or new information that can be provided. 3. If the matching value is an IP Address, a match to an asset is based on the other information in the update versus what is already known about the potential IP-matching asset in the database. 4. In the case of no matching data from 2 or 3, a brand new asset is created to accommodate the information provided in the asset update. 5

Assets, merging, and deviant asset growth This might prompt you to ask: What happens when data for an update matches more than one asset? Such as an update containing a NetBIOS name and a MAC address. Answer: In these cases, QRadar evaluates the data between the two assets and depending on how the asset identifiers are matched, then an asset merge might occur. Merging is the process whereby the contents of one asset are absorbed by another asset under the presumption that they are actually the same physical asset. Systems that can cause aggressive merging of asset information are devices that generate data with matching asset identifiers. 6

Assets, merging, and deviant asset growth (continued) For example, Central Syslog servers acting as an event proxy Virtual machines (VMs) Pre-install or automated installation environments Non-unique hostnames (iphone) VPNs with shared MAC addresses LSXs where the identity field is OverrideAndAlwaysSend=true This can lead to a single asset with a large number of IP addresses, MAC addresses, or hostnames and trigger a deviant asset growth notification. Deviant asset growth is a notification generated for users when the number of updates being generated outpaces the retention cleanup agent. The best way to avoid these notifications is to: 7 1. Update the asset profiler retention values 2. Add identity exclusions 3. Manage reference sets for asset blacklists or exclusion rules 4. Ensure DSMs are updated

Admin tab > Asset Profile Configuration Methods for reducing deviant asset growth from the Asset Profile Configuration screen. Adjust the length of retention based on the asset identity data that is being merged. For example, if multiple IP addresses are merging under an asset, change the Asset IP Retention from 120 days to a lower value, such as 90 days. NOTE: Asset retention cleanup never removes the last hostname value for an asset, even if the data is beyond the retention period. 8

Identity exclusion To combat systems where single assets can be populated with extremely large numbers of similar asset identifiers (IP addresses, hostnames, MAC addresses), identity exclusion was added. Identity exclusion allows users to filter out specific identity events so that they do not contribute to deviant asset growth. To enable an identity exclusion: 1. Click the Log Activity tab. 2. Create a search to locate the information to be excluded. 9 3. Click Search, then save the search criteria. 4. Click the Admin tab > Asset Profiler Configuration > Manage Identity Exclusion, and add the search to the list. NOTE: Editing the saved search automatically updated the exclusion list.

Asset reconciliation exclusion rules Reconciliation exclusion allow users to define rules that prevent noisy asset updates from being applied to the asset profile by automatically updating a reference set blacklist. The idea being that when a rule is triggered, instead of updating an asset with suspect data, the asset information can be automatically added to a reference set blacklist. The update to the asset profile is not made and the change is discarded. 10

Asset reconciliation exclusion (continued) For example: Rule AssetExclusion: Exclude DNS Name By IP Rule Behavior When at least 3 events are seen with the same Identity Host Name and different Identity IP in 2 hour(s), add the hostname (DNS Name) to the 'Asset Reconciliation DNS Blacklist' reference set. Tuning advice: 1. Review Admin > Reference Set Management to see how many elements have been added to a blacklist. 2. Tune out false positives (too many blacklisted values) by either increasing the events required or lower the time limit for the rule trigger (or disable IP based rules). In environments where people are hopping networks often, it is not unusual to set 10 events in 1 hour. 3. For too few blacklisted values, lower the number of events required to trigger the rule or increase the time limit. 11

Reference sets for asset exclusion Another option available to administrators is to manually populate a reference set blacklist or whitelist with data. If a situation occurs where a single identity value needs to be excluded, then a whitelist can be easier to add than an identity exclusion. When the system identifies a blacklist match, it checks the whitelist to see if the value exists. If yes, the change is reconciled and the asset is updated. 12

Did you know? Did you know that there is a script that can be leveraged to update the asset model using a CSV file for QRadar? This update_asset.py script allows customers to update their asset model using a CSV file. This script could be useful when first configuring QRadar assets to make updates for IP address, Technical Owner, Location, or Description information. This script never creates assets, just updates existing entries in the asset profile. If an IP exists in the CSV file, but not in the asset profile, the update asset does not import the data. The script is available on the GitHub page for IBM Security Intelligence: https://github.com/ibm-security-intelligence/ 13

Questions 14

Advanced questions: part 1 The first questions addressed by the panelists will be these that were asked in advance in the QRadar Customer forum. Q1. What determines the name of an asset? Asset names are assigned in the following order: Given name, followed by NetBIOS name, DNS name, then IP address. Q2. When I look at the asset profile, why do I see assets where all other information is blank? In these cases, the asset retention has likely expired and removed data that is older than 120 days. Q3: Is there a method for whitelisting IP addresses based on CIDR or network definition? No, at this time whitelisting assets is a manual process. Review why specific IP addresses are being blacklisted in the first place. 15

Advanced questions: part 2 Q4. Can we delete assets and start fresh? What if I want to partially delete some assets, but keep others? 16 Yes, there is a script that can be used to clean the entire asset model, but it is not selective. To clean selectively, users should leverage searches, then delete from the user interface. Note: This queues the asset for deletion, but it might take some time for the action to occur. Q5. Is there a way to hard code asset names to IPs that have been blacklisted? Yes, add the IP to the whitelist, then edit the asset and provide name information for the asset. Q6: Is there a method for whitelisting IP addresses based on CIDR or network definition? No, at this time whitelisting assets is a manual process. Review why specific IP addresses are being blacklisted in the first place.

Advanced questions: part 3 Q7. Why when I do an asset export, do I see 0.0.0.0? In most cases, 0.0.0.0 represents a placeholder for null or N/A fields that do not contain IP address information. Q8. Is there a good method to ensure that I m not updating assets related to service accounts / automated services? Yes, a good way to exclude asset profile updates for service accounts is to create a search where Identity Username + Is Any Of + Anonymous logon. Make sure this is a real-time search for the time frame. Save the search and add the search to the Identity Exclusion list. (Admin tab > Asset Profile Configuration > Manage Identity Exclusion > Add your anonymous logon search.) 17

Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: 1. Type your question into the chat window. 2. When prompted by the operator, you can press *1 to ask a question over the phone. 18

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to IBM Security Systems improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 19