IBM QRadar Security Intelligence Platform QRSIP Security QRadar SIEM

IBM QRadar Security Intelligence Platform is a network threat detection and countermeasure software. IBM QRadar Security Intelligence Platform products provide a unified architecture for integrating security information and event management (SIEM), log management, anomaly detection, configuration management, and vulnerability management. These products offer advanced threat detection capabilities, ease of use, and low cost of ownership.

Key opportunities planned for implementation in the IT security platform

• A unified architecture for analyzing logs, threads, vulnerabilities, users, and resources.
• Identify correlations and anomalous events in near real time to identify the most dangerous security threats.
• A high-priority definition of incidents based on the results of billions of analyzed pieces of data.
• Full transparency to analyze network activity, application performance, and user activity.
• Automatically meet regulatory requirements with data collection, correlation, and reporting capabilities.

• Access to generic threat information-Plans to provide access to information from one of the world's largest data warehouses on identified IT threats and vulnerabilities. This information is based on IBM X-Force Threat Intelligence Feed monitoring results, which track an average of 13 billion security events daily. Access to generic information about existing threats and vulnerabilities allows you to identify behavior (or some kind of activity, state) that can be associated with the so-called "Advanced Persistent Threats" (APT). These particularly sophisticated threats can come from well-coordinated and targeted attack teams that use masking techniques to gain unauthorized access to networks.

• Enterprise-wide activity control - The platform will accumulate information about security events related to IBM and third-party products, which covers four areas of organizational risk: infrastructure, people, applications, and data.

• Detailed analysis in the era of Big Data - The analytical platform can operate at the level of basic data elements, which allows you to analyze a wide range of events, from information about access to the corporate network on the periphery of the organizational structure to indicators of the activity of database requests within the core activities of the enterprise.

Access to common threat information

One of the most important integration initiatives for the QRadar platform is the IBM X-Force Intelligence Threat Feed, which is built on a global online monitoring system that records an average of 13 billion security events per day for almost 4,000 customers in more than 130 countries. The QRadar platform will have a complete information picture of the latest global security trends, which will help protect enterprises from new emerging risks. QRadar will display current IBM X-Force content feeds describing IT threats and vulnerabilities in dashboard for users and map organization-wide security and network events to these threats and vulnerabilities in real time based on automated policies.

Platform components

IBM Security QRadar Log Manager: A high-performance system for collecting, analyzing, archiving, and storing large volumes of network and security event protocols.

IBM Security QRadar Network Anomaly Detection: Improve IBM intrusion prevention systems (IPS) by obtaining more information about the network situation and abnormal actions to better identify security threats.

IBM Security QRadar QFlow Collector: The combination of IBM Security QRadar SIEM and thread handlers provides application mapping (Tier 7) and thread analysis so you can understand what is happening on the network and respond to network activity.

IBM Security QRadar Risk Manager: Helps automate security risk management in critical areas, strengthen protection against attacks while improving compliance.

IBM Security QRadar SIEM: Event logging from thousands of target devices and applications distributed on the network. This system performs instant normalization and detects a link between actions on raw data to distinguish real threats from false positives.

IBM Security QRadar VFlow Collector: The combination with IBM Security QRadar SIEM provides application-level mapping of virtual network flows (tier 7) so you can understand what is happening on the network and respond to network activity.

Broad coverage

Other integration capabilities are also planned that will allow the QRadar Security Intelligence Platform to help customers more quickly identify and identify IT threats by contextually linking events from the following categories:

• People - Organizations must control access to key systems and information. Unauthorized access of employees to critical databases and customer information makes the company vulnerable to system hacking, data theft and other security threats. With special analytical tools, IT security professionals can quickly determine whether the role-based access model demonstrated by a particular user meets their positions, privileges, and privileges in the organization. The QRadar platform will be integrated software IBM with Security Identity Manager and IBM Security Access Manager to complement existing QRadar support for enterprise directory services such as. Microsoft Active Directory

• Data - Data is the main "protected object" in the security system; they serve as the main goal for cybercriminals, so all measures and means of security are aimed at protecting them. Using IBM's Guardium Database Security software, integrated with an analytical security platform, organizations can better identify and match unauthorized or suspicious activity at the database level - such as for example, as a database administrator's access to tables with credit card numbers during off-hours - with abnormal activity, detected at the network level - when, for example, credit card records are sent to unknown servers on the Internet.

• Applications - Applications are required to perform daily operations, but they can also introduce major new vulnerabilities to enterprise networks. Applications, due to their sensitivity to external influences, should be regularly updated. Organizations, however, are often unable to immediately install patches for corporate testing requirements and change management cycles. The analytics platform can automatically alert IT security personnel to Web applications that do not have the latest updates installed. Such applications are at constant risk of attacks using known "exploits" (malicious code using a specific software vulnerability), previously identified by IBM Security AppScan. This planned integration complements existing QRadar platform support for enterprise-class application monitoring tools such as IBM WebSphere and SAPERP.

• Infrastructure - Today, organizations are making great efforts to secure thousands of physical devices, such as personal computers and mobile phones, especially amid the growing popularity of the Bring Your Own Device approach, which involves the possibility of using personal mobile devices at work. For this reason, companies should take additional precautions to help their employees strictly comply with information security rules when using such devices. With integration with IBM Endpoint Manager, the analytic security platform can provide enhanced protection for physical and virtual end computing devices - servers, desktops, laptops, smartphones and tablets, as well as specialized equipment such as cash registers, ATMs and interactive kiosks.

Integration modules of the QRadar platform are also planned for, Symantec DLP Websense Triton, Stonesoft Stonegate and other third-party products. This integration strategy expands the QRadar ecosystem and supports the traditional Q1 Labs approach to "multivendor" heterogeneous environments.

Big Data Analytics Solutions

The QRadar platform is also enhanced with Big Data capabilities, particularly in terms of storing and supporting requests for large amounts of security-related information. In addition, the security features of virtualized infrastructures have been added, visual control has been expanded and improved. This helps customers reduce security risks and automate compliance processes.

Enhancing security in general and protecting network data sources in particular is complemented by enhanced functionality focused on exponential data growth. Among the new opportunities:

• Instant Search to support quick free form queries for both event logs and data streams. This feature is designed to extend the simplicity and speed of Internet search engines to an analytical security platform.

• The XX24 series of devices designed to increase performance and scalability - benefits for which QRadar solutions are widely known. With the release of QRadar 3124 SIEM devices, the QRadar 1624 Event Processor event processing unit and the QRadar 1724 Flow Processor data flow processing unit - all of which contain 16 TB of storage and 64 GB of RAM - organizations can support more users, achieve higher performance and save data for a longer time.

• Intelligent storage policy management that enables organizations to determine how much information they want to store and for how long. Less important data can be deleted earlier in order to be able to store more important data longer.

• Virtual devices that enable end-user customers and service providers to benefit from the virtual infrastructures they create and, at the same time, take advantage of less expensive and more comprehensive security analytics solutions.

The planned integration modules (interface modules or device support modules) will be delivered with QRadar Security Information Event Management (SIEM) and QRadar Log Manager at no additional cost and via automatic updates.

IBM Security QRadar SIEM

IBM Security QRadar SIEM is a system for registering events on end devices and applications distributed in the network.

IBM Security QRadar SIEM records events from thousands of target devices and applications distributed on the network. This system performs instant normalization and detects a link between actions on raw data to distinguish real threats from false positives. In one embodiment, the software includes IBM Security X-Force Threat Intelligence, which creates a list of potentially malicious IP addresses, including those of malware computers, spam sources, and other threats. IBM Security QRadar SIEM can also map system threats to events and network data to prioritize security incidents.

Application Window Screenshot

Functionality

• Display events in near real time to detect threats and prioritize them, allowing you to monitor your entire IT infrastructure.
• Reduce alarms and prioritize them to focus on researching the list of actions for suspicious events.
• Better threat management and detailed reporting on access to data and user actions.
• Support for easy and fast installation and the availability of time-saving tools and features.
• Reports on data access and user activity to manage compliance.
• Detect misuse of applications, internal fraud, and today's smaller threats that can be overlooked in millions of events.
• Collect logs and events from a variety of resources, including security devices, operating systems, applications, databases, and access and identification control systems.
• Collect network flow data, including Layer 7 (Application Layer) data from switches and routers.
• Obtain information from access and identification control systems and infrastructure services such as Dynamic Host Configuration Protocol (DHCP) and receive information from vulnerability scanners in the network and applications.
• Instantaneously normalize events and correlate them with other data from threat detection, compliance reporting, and auditing.
• Reduce the number of events and flows from billions to a small number of real violations and prioritize them according to the threat to business.
• Define basic characteristics and detect anomalies to determine changes in behavior associated with applications, computers, users, and network segments.
• Use optional IBM Security X-Force Threat Intelligence to identify suspicious IP activity, such as suspected malicious activity.
• Monitor serious incidents and threats and provide links to all required data and related situations for better analysis.
• Search events and data streams in near real-time flow mode or search stored data to improve analytics.
• Add-on in the form of IBM Security QRadar QFlow and IBM Security QRadar VFlow Collector devices to gain an in-depth understanding and better display of applications (e.g., enterprise resource management applications), databases, collaboration products, and social networking using Layer 7 network flow analysis.
• Detect out-of-hours activity or uncommon use of applications or cloud services, or network activity that does not match stored usage patterns.
• Perform pooled searches in large, distributed environments.
• Automatically discover most of the sources that provide logs and monitor network flows to find and classify computers and servers, and track applications, protocols, services, and ports that they use to save significant time.
• Use a centralized user interface with role-specific feature access and a single view for near-real-time analytics, incident management, and reporting.
• Group network stream records into a single record for a short time to reduce disk space utilization and meet licensing requirements.
• Track all access to customer data by name and IP address to ensure privacy policies are followed.
• Use an intuitive reporting module that does not require special databases and special reporting skills.
• Ensure transparency, accounting, and measurability for compliance and compliance reporting.

History

2021: Fix the vulnerability that allows an attacker to send requests on behalf of the system

IBM eliminated a vulnerability in QRadar SIEM discovered by Positive Technologies, as the latter reported on March 9, 2021.

The vulnerability could be used to attack internal networks of companies.

The vulnerability associated with external request forgery servers (SSRF), identified in IBM QRadar SIEM by Positive Technologies expert Mikhail Klyuchnikov, has an average hazard level (5.4 points on the CVSS scale).

Error received ID CVE-2020-4786. By operating it, an attacker can send requests on behalf of the system, get information about the network infrastructure and thus simplify himself to conduct other attacks.

Using this vulnerability, an authorized attacker can send requests on some protocols on behalf of the server both to the internal network and to the external one, "explains Mikhail Klyuchnikov. - When sending requests to the internal network, he can get information about network nodes and their open ports, that is, learn more about this network. In addition, in some cases, the attacker can exploit known vulnerabilities in software that is located in the internal network, which will allow him to develop his attack.

The issue affects IBM QRadar SIEM versions 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1, and 7.3.0 to 7.3.3 Patch 5. To fix the vulnerability, you must upgrade to the latest versions in accordance with the manufacturer's recommendations.

2018: Dangerous vulnerabilities found in IBM QRadar platform

The researcher of safety Pedro Ribeiro found^[1] in the IBM QRadar platform 3 dangerous vulnerabilities which at joint operation allow the removed not authenticated malefactor to execute any commands with the privileges of the superuser^[2].

Vulnerabilities are assigned the common identifier CVE-2018-1418. According to experts, QRadar has a built-in application for file analysis. The application is disabled in Community Edition, but its code has not been completely deleted and some of it is still running.

The application has two components: the Java servlet and the main PHP component. In the first component there is a vulnerability that can be used to bypass authentication, and in the second - a problem that allows you to execute arbitrary commands. In addition, Ribeiro discovered a third vulnerability that can be exploited to increase privileges.

According to IBM, the vulnerabilities affect versions QRadar SIEM 7.3.0 - 7.3.1 Patch 2 and QRadar SIEM 7.2.0 - 7.2.8 Patch 11. Corrections are included in versions 7.3.1 Patch 3 and 7.2.8 Patch 12.

2017: Cisco and IBM join forces in the fight against cybercrime

Cisco and IBM Security have joined forces to jointly counter the growing threat of global cybercrime. According to an agreement signed in June 2017, Cisco and IBM Security will work closely in the interests of customers in the field of product and service integration, as well as threat analysis.

To protect organizations at the network, endpoint, and cloud levels, Cisco information security solutions will be integrated with the IBM QRadar platform. Another important aspect of collaboration for customers is the extensive support by IBM Global Services for Cisco products as part of its Managed Security Service Provider (MSSP) offerings. The agreement also provides for new principles of interaction between IBM X-Force and Cisco Talos research units, which will begin to cooperate in the field of threat analysis and coordinate actions on major security incidents.

Cisco's information security offerings, combined with an architectural approach, combined with IBM's Cognitive Security Operations platform, will improve customer protection across the network, endpoint, and cloud. During the collaboration, Cisco will develop a number of applications for the IBM QRadar analytical security platform. Priority new applications include two that help security services recognize and capture advanced threats. They will be available in IBM Security App Exchange. Thus, users working with Cisco Next-Generation Firewall (NGFW), Next-Generation Intrusion Protection System (NGIPS), Advanced Malware Protection (AMP) Threat Grid solutions and technologies will be able to identify incidents faster and eliminate their consequences more effectively.

In addition, the IBM Resilient Incident Response Platform (IRP) and Cisco Threat Grid will be integrated to provide security services with the intelligence they need to speed up incident response. Thus, IRP analysts will be able to search for compromise indicators using Cisco Threat Grid and activate suspicious software in a sandbox. At the moment of operation, specialists will receive important data on the threat.

Threat Analysis and Managed Services

The goal of joint research, which will involve leading specialists from IBM X-Force and Cisco Talos, will be the most pressing cybersecurity problems facing common customers of both companies. For such customers, IBM will integrate X-Force Exchange and Cisco Threat Grid, which will significantly expand the historical and operational horizons of threat analysis, while specialists will be able to compare the data for in-depth analysis.

So, Cisco and IBM exchanged analytical data during the recent repulsion of ransomware attacks. WannaCry The services of both companies coordinated their response and transmitted information about the spread of the virus to each other. Cooperation will continue to ensure that common customers and the entire industry receive the latest data.

During the expansion of the collaboration, IBM Managed Security Services, which manages security services for 3,700 customers worldwide, will work with Cisco to offer new services aimed at further simplifying security systems. One of the first solutions is for the growing hybrid cloud market. With enterprise customers transferring their information security infrastructure to public and private cloud providers, IBM Security will provide managed security services that support Cisco's leading public cloud services.

2015

Access to IBM Security QRadar

On December 11, 2015, IBM announced open access to the IBM Security QRadar security analysis platform. At the same time, the IBM Security Exchange online platform was launched, focused on the security community, where they can develop and share applications based on IBM technologies .

Providing access to an analytical security platform is IBM's second step in 2015, aimed at stimulating industry collaboration and promoting innovation to combat cybercrime. Earlier, the company published 700 TB of threat data on the IBM X-Force Exchange platform. Since its launch in April 2015, more than 2 thousand organizations have joined the platform. With open access to an analytical security platform and an archive of threat data, companies can share information and experience with each other, allowing them to be one step ahead of cybercriminals.

IBM and partners, including Bit9 + Carbon Black, BrightPoint Security, Exabeam and Resilient Systems, have already downloaded dozens of client-developed applications to IBM Security App Exchange. They help supplement the analytic data contained in IBM Security QRadar with tools to evaluate user behavior, information from end devices, and simulation of an attack. New applications take advantage of open programming interfaces (APIs) for IBM QRadar. Data analysis and platform-based threat information helps detect security breaches in thousands of security centers around the world, including half of Fortune 100 companies.

IBM Security QRadar Release

On December 11, 2015, IBM announced the release of IBM Security QRadar, which analyzes the company's IT infrastructure data and identifies potential security threats.

QRadar Information Panel (2013)

QRadar helps users create algorithms that automatically perform the necessary actions when specific threats are detected. For example, an algorithm created using QRadar can automatically start blocking IP addresses and control user access based on a risk profile. Applications developed using the QRadar scheme can use personalized algorithms to automatically respond to threats.

IBM continued to integrate QRadar with IBM BigFix to help users more effectively address threats as a priority and fix vulnerabilities on their devices. QRadar can now identify unprotected endpoints that do not have BigFix installed and help users find hackers or unmanaged resources faster.