QRadar SIEM 7.2 Flows Overview



Similar documents
Let s talk about assets in QRadar

QRadar SIEM 7.2 Windows Event Collection Overview

IBM QRadar Security Intelligence April 2013

IBM Security IBM Corporation IBM Corporation

QRadar Security Intelligence Platform Appliances

IBM QRadar Security Intelligence Platform appliances

Introducing IBM s Advanced Threat Protection Platform

IBM Security QRadar SIEM Version (MR1) Tuning Guide

IBM Security QRadar Version Common Ports Guide

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

IBM Security QRadar QFlow Collector appliances for security intelligence

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

QRadar Security Management Appliances

IBM SECURITY QRADAR INCIDENT FORENSICS

Security strategies to stay off the Børsen front page

The webinar will begin shortly

IBM Security QRadar SIEM Version MR1. Administration Guide

IBM Security QRadar SIEM Product Overview

IBM. Vulnerability scanning and best practices

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

IBM Security QRadar Version Troubleshooting System Notifications Guide

Flow Analysis Versus Packet Analysis. What Should You Choose?

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

Tuning Guide. Release Juniper Secure Analytics. Juniper Networks, Inc.

Juniper Security Threat Response Manager (STRM) Mikko Kuljukka COMPUTERLINKS Oy

IBM WebSphere Application Server Communications Enabled Applications

IBM Advanced Threat Protection Solution

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

What is Security Intelligence?

Network Agent Quick Start

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

IBM Security Intelligence Strategy

IBM Security QRadar Risk Manager

SolarWinds Technical Reference

IBM Security QRadar Risk Manager

Deploying the BIG-IP LTM with IBM QRadar Logging

Security Intelligence Solutions

AMPLIFYING SECURITY INTELLIGENCE

Security Information & Event Manager (SIEM)

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Q1 Labs Corporate Overview

IBM Security. Alle Risiken im Blick und bessere Compliance Kumulierte und intelligente Security Alerts mit QRadar Security Intelligence

SolarWinds Technical Reference

IBM Security QRadar Vulnerability Manager Version User Guide

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

How to Choose the Right Security Information and Event Management (SIEM) Solution

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Monitoring VMware ESX Virtual Switches

Juniper Secure Analytics

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Delivers fast, accurate data about security threats:

Safeguarding the cloud with IBM Dynamic Cloud Security

Security Information & Event Manager (SIEM)

Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference

Network Performance Management Solutions Architecture

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

How To Sell Security Products To A Network Security Company

Log management & SIEM: QRadar Security Intelligence Platform

DeltaV System Health Monitoring Networking and Security

Netflow Collection with AlienVault Alienvault 2013

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

IBM WebSphere Application Server

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

Beyond Monitoring Root-Cause Analysis

IBM WebSphere Partner Gateway V6.2.1 Advanced and Enterprise Editions

Understanding Flow and Packet Deduplication

Juniper Secure Analytics Release Notes

Extreme Networks Security Hardware Guide

F5 Silverline DDoS Protection Onboarding: Technical Note

Network Metrics Content Pack for VMware vrealize Log Insight

HP IMC User Behavior Auditor

IBM Security QRadar Version WinCollect User Guide V7.2.2

Addressing Security for Hybrid Cloud

Extreme Networks Security WinCollect User Guide

Wireshark Developer and User Conference

Agenda. sflow intro. sflow architecture. sflow config example. Summary

Juniper Secure Analytics

Traffic monitoring with sflow and ProCurve Manager Plus

Network Monitoring Comparison

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Securing and Monitoring BYOD Networks using NetFlow

Packet Optimization & Visibility with Wireshark and PCAPs. Gordon Beith Director of Product Management VSS Monitoring

Juniper Secure Analytics

LogLogic Cisco NetFlow Log Configuration Guide

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

z/os V1R11 Communications Server system management and monitoring

IBM Security Network Protection

SolarWinds Log & Event Manager

Extreme Networks Security Troubleshooting System Notifications Guide

Networking Fundamentals Part of the SolarWinds IT Management Educational Series

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Transcription:

QRadar SIEM 7.2 Flows Overview Panelists Dwight Spencer Principal Solutions Architect & Co-founder of Q1 Labs Aaron Breen QRadar World-wide Support Leader Adam Frank Principal Solutions Architect Dale Beresford Support Services Team Lead Jonathan Pechta Support Technical Writer Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA: 866-803-2145 Canada: 866-845-8496 Participant passcode: 9348947 QRadar Open Mic Webcast #2 July 29, 2014 1 2012 IBM Corporation

Goal: Provide insight on the QRadar components responsible for flow collection. Router sending NetFlow data ETH0 ETH1 ETH2 ETH3 Console Span port on a switch Network tap QFlow Collector (12xx or 13xx) Flow records port 32010 ETH0 Flow Processor (FP) (17xx) 2

Types of flow data QRadar can collect several types of flow data: QFlow, NetFlow, SFlow, JFlow, and Packeteer. We differentiate these into two categories: Internal flows: packet based collection (QFlow or Packeteer) External flows: sources from routers or switches that generate their own session statistics (NetFlow, SFlow, and JFlow) Data available by flow type: QFlow or Packeteer layer 7 visibility, provides details on application communication, URLs, etc. NetFlow, JFlow, and SFlow layer 3 and layer 4 visibility. 3

Placement of devices for flow collection 1. Where do you require visibility? Most volatile If you are to consider the perimeter of the network, where a corporate entity connects to the public internet as the most volatile location, then this is where most users will put the most granular data collection type, which is a packet based collection solution. 2. Available hardware & capabilities Least volatile 4

The Event Correlation Service (ECS) The QFlow component is responsible for reading different types of flow data and creates flow records to be processed. Start Flow data (internal or external) QFlow process ECS is the core service responsible for event and flow collection for QRadar. ECS is comprised of three core components: Event Collector component 1. Event Collector 2. Event Processor ECS 5 Event Processor component Magistrate component (Console only) End 3. Magistrate

What is an Event Collector component? The Event Collector component completes a number of flow processing functions for ECS. Flow deduplication: Flow deduplication is a process that removes duplicate flows when multiple QFlow collectors are providing data to flow processor appliances. Asymetric recombination: Responsible for combining two sides of each flow when data is provided asymmetrically. This process can recognize flows from each side and combine them in to one record. However, sometimes both sides of the data do not exist. External flow sources such as NetFlow that may only report ingress or egress traffic. Instances where span traffic enters a network from a single point, and exists via another, creating asymmetric reporting of data to flow collectors. Event Collector Flow deduplication Asymetric recombination Throttle Forwarding Throttle: Monitors the number of incoming events & flows to the system to manage input queues and licensing. Forwarding: Applies routing rules for the system, such as sending data to offsite targets, external Syslog systems, JSON systems, other SIEMs, etc. 6

What is an Event Processor component? Custom Rules Engine (CRE): The Custom Rules Engine (CRE) is responsible for processing events received by QRadar and comparing them against defined rules, keeping track of systems involved in incidents over time, generating notifications to users and generating offenses. Host profiler: Responsible for resolving asset information from passive flow data. Flows provide detailed information about network activity and allow QRadar to build a passive database on assets, ports, protocols, direction, applications, number of packets, bytes transferred, and even an index of the source and destination payload. Event Processor Custom Rules Engine Host profiler Streaming Storage Streaming: Responsible for sending real-time event data to the Console when a user is viewing events from the Log Activity tab with Real time (streaming). Streamed events are not provided from the database. Event storage (Ariel): A time series database for events and flows where data is stored on a minute by minute basis. Data is stored where the event is processed. 7

What is the Magistrate component? (MPC) component? The Magistrate Processing Core (MPC) is responsible for correlating offenses with event notifications from multiple Event Processor (EP) components. Only the Console will have a Magistrate component. Layers Offense rules: Monitors and takes actions on offenses, such as generating email notifications. Offense management: Updates active offenses, transitioning inactive offenses to active and provides access to offense information to the user through the Offenses tab. Magistrate Offense rules Offense management Offense storage Offense storage: Writes offense data to a Postgres database. 8

ECS, the big picture Start End Protocol Parsing, traffic analysis, and auto detection Event Collector Throttle Coalescing Forwarding Event Processor Custom Rules Engine Host profiler Streaming Storage Magistrate Offense rules Offense management Offense storage Flow deduplication Asymetric recombination Remember: ECS runs on any appliance that processes events, such as 16xx, 17xx, and 18xx appliances. This means that ECS is running simultaneously on a number of appliances in a multi-system deployment. Each ECS is taking in events, processing them, evaluating rules, etc. 9

Types of flow records Standard flow: A single standard flow record Type A Superflow (Network scans): One source to many destination IPs This is a unidirectional flow, which has the same source, but multiple destinations. Type B Superflow (DDoS): Multiple sources to a single destination IP This is a unidirectional flow, which has the multiple sources, but has a single destination. Type C Superflow (Port scans): One-to-one source and destination with many ports This is a one-to-one flow with different source or destination ports Over Flow record: Created when license limits are exceeded When a QFlow collector hits its flow license limit, it begins creating over flow records. Over flow records have a source IP of 127.0.0.4 and a destination IP of 127.0.0.5 with one flow created per protocol (icmp, udp, tcp, etc). When the license limit is reached, QFlow rolls the rest of the traffic for the protocol within the interval in to a single record. All bytes and packet counts are totaled up and added to these overflow records. Flow bundle subflow record: Legacy no longer used 10

Advanced questions: part 1 The first questions addressed by the panelists will be these that were asked in advance in the QRadar Customer forum. Q1: How can I achieve application layer visibility using QRadar All-in-one appliance? Do I need to connect SPAN port to a NIC which is used by QFlow collector? Q2: How will encryption be dealt with here (I mean whether we need any SSL termination proxy or not )? Q3: How can Layer-7 analysis be made possible in case of VFlow collectors since we don't have any SSL termination mechanism in virtual environments? Q4: After VFlow is configured, to which component will it be forwarded? Q5: What is the packet structure of QFlow records? 11

Advanced questions: part 2 Q6: How does QFlow differentiate between applications that are using the same port? (For example, port 443 being used by Facebook and LinkedIn) How is an IRC running on port 80 or 443 identified? Q7: Feeding un-encrypted data to QFlow puts limitations on me as my QRadar administrators/analysts can have my company's e-mails retrievable in their consoles. Does QRadar have capability to re-encrypt its input just like an IPS or IDS or any application layer filtering platform? 12

Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: 1. Type your question into the chat window. 2. When prompted by the operator, you can press *1 to ask a question over the phone. To ask a question after this presentation: If you were unable to attend this webcast or have questions later, we have set aside a forum post specifically for this webcast. See the IBM Security Intelligence QRadar Forum. 13

Where do I get more information? Questions on this or other topics can be directed to the QRadar forums: IBM Security Intelligence QRadar Forum. More articles you can review: Article 1676986: QRadar Licenses and Flow Data Article 1622844: What are flows with the source and destinations of 127.0.0.4 and 127.0.0.5? Article 1622511: Common message and errors from the QRadar flow pipeline Useful links 1616144: Getting Support for IBM Security QRadar products Follow us: IBM Support Portal Open a Service Request Update your PMR Escalate your PMR 14

ibm.com/security 15 Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information