IBM QRadar Security Intelligence Platform QRSIP Security QRadar SIEM

IBM QRadar Security Intelligence Platform - Software for detecting network security threats and countering them. IBM QRadar Security Intelligence Platform products provide a single architecture for integrating security information and event management (SIEM), log management, anomalous situation detection, configuration management, and vulnerability resolution. These products offer advanced threat detection capabilities, ease of use, and low cost of ownership.

Key Capabilities Planned for IT Security Platform Implementation

• A single architecture for analyzing logs, threads, vulnerabilities, user and resource data.
• Determine correlation and anomalous events in near real time to identify the most dangerous security risks.
• High priority identification of incidents based on the results of billions of analyzed data pieces.
• Full transparency for analyzing network activity, application performance and user actions.
• Automate compliance through data collection, correlation, and reporting capabilities.

• Access to generalized threat information - It is planned to provide access to information from one of the world's largest data warehouses about identified IT threats and vulnerabilities. This information is based on the results of monitoring received on the IBM X-Force Threat Intelligence Feed channel, which monitors an average of 13 billion security events daily. Access to generalized information about existing threats and vulnerabilities allows you to identify behavior (or some activity, state) that can be associated with the so-called. "Persistent Threats" (APT). These particularly sophisticated threats can come from well-coordinated and targeted teams of attackers who use masking techniques to gain unauthorized access to networks.

• Enterprise-Wide Activity Control - The platform will accumulate information about security events related to IBM and third-party products that covers four areas of organizational risk: infrastructure, people, applications, and data.

• Detailed analysis in the Big Data era - an analytical platform can operate at the level of basic data elements, which allows you to analyze a wide range of events, from information about access to the corporate network at the periphery of the organizational structure to indicators of the activity of requests to the database within the framework of the main enterprise activity.

Access to generic threat information

One of the most important integration initiatives for the QRadar platform is the IBM X-Force Intelligence Threat Feed, which is built on the basis of a global operational monitoring system that records an average of 13 billion security events daily for almost 4,000 customers in more than 130 countries. The QRadar platform will have a complete information picture about the latest global security trends, which will help protect enterprises from new emerging risks. QRadar will display current IBM X-Force information tapes describing IT threats and vulnerabilities in dashboards for users and correlate security and network activity events across the organization with these threats and vulnerabilities in real time based on automated policies.

Platform components

IBM Security QRadar Log Manager: A high-performance system for collecting, analyzing, archiving, and storing large volumes of network and security event protocols.

IBM Security QRadar Network Anomaly Detection: Improve IBM intrusion prevention systems (IPS) by gaining more information about the network situation and abnormal actions to better identify security threats.

IBM Security QRadar QFlow Collector: Combined with IBM Security, QRadar SIEM and thread handlers provide application mapping (Layer 7) and thread analysis so you can understand what is happening on the network and respond to network activity.

IBM Security QRadar Risk Manager: Helps automate security threat management in critical areas, strengthen protection against attacks, and improve compliance at the same time.

IBM Security QRadar SIEM: Logging events from thousands of end devices and applications distributed on the network. This system performs instant normalization and identifies a link between actions on raw data to distinguish real threats from false positives.

IBM Security QRadar VFlow Collector: Combined with IBM Security, QRadar SIEM provides application-level (Layer 7) mapping of virtual network flows so you can understand what is happening on the network and respond to network activity.

Broad coverage

Other integration capabilities are also planned that will allow the QRadar Security Intelligence Platform to help customers more quickly identify and identify IT threats by contextually linking events from the following categories:

• People - Organizations should control access to key systems and information. Unauthorized employee access to critical databases and customer information makes the company vulnerable to system hacking, data theft, and other security threats. With the help of special analytical tools, IT security experts can quickly determine whether the role model of access demonstrated by a particular user corresponds to his position, authority and privileges in the organization. The QRadar platform will be integrated software IBM with the Security Identity Manager and IBM Security Access Manager, which will complement the existing QRadar support for enterprise directory services such as. Microsoft Active Directory

• Data - Data is the main "protected object" in the security system; they serve as the main goal for cybercriminals, so all measures and security measures are aimed at protecting them. Using IBM Guardium Database Security software integrated with the analytical security platform, organizations will be better able to identify and correlate unauthorized or suspicious activity at the database level - such as for example, as database administrator access to tables with credit card numbers after hours - with abnormal activity, discovered at the network level - when, for example, credit card records are sent to unknown servers on the Internet.

• Applications - Applications are required to perform daily operations, but they can also introduce serious new vulnerabilities to enterprise networks. Applications, due to their sensitivity to external influences, should be regularly updated. Organizations, however, are often unable to immediately install patches due to corporate testing requirements and change management cycles. The analytics platform can automatically alert IT security personnel to Web applications that do not have the latest updates installed. Such applications are at constant risk of attacks using well-known "exploits" (malicious code that exploits a specific software vulnerability), previously identified by IBM Security AppScan. This planned integration complements the QRadar platform's existing support for enterprise-class application monitoring tools such as IBM WebSphere and SAPERP.

• Infrastructure - Today, organizations are making great efforts to secure thousands of physical devices, such as personal computers and mobile phones, especially amid the growing popularity of the Bring Your Own Device approach, which involves the possibility of using personal mobile devices at work. For this reason, companies should take additional precautions to help their employees strictly follow information security rules when using such devices. Through integration with IBM Endpoint Manager, the intelligence security platform can provide organizations with enhanced protection for physical and virtual end computing devices - servers, desktops, laptops, smartphones and tablets, as well as specialized equipment such as cash registers, ATMs and interactive kiosks.

Integration modules of the QRadar platform are also planned for Websense Symantec DLP Triton, Stonesoft Stonegate and other third-party products. This integration strategy expands the QRadar ecosystem and supports Q1 Labs' traditional approach to "multi-vendor" heterogeneous environments.

Big Data Analysis Solutions

The QRadar platform has also been expanded with Big Data capabilities, in particular with regard to storing and supporting requests for large amounts of security-related information. In addition, the security features of virtualized infrastructures have been added, visual control has been expanded and improved. All of this helps customers reduce security risks and automate compliance processes.

Strengthening security in general and protecting network data sources in particular is complemented by enhanced functionality focused on exponential data growth. Among the new opportunities:

• Instant Search to support quick free-form queries for both event logs and data streams. This feature is designed to extend the simplicity and speed of Internet search engines to the analytical security platform.

• XX24 series devices designed to increase performance and scalability - benefits for which QRadar solutions have become widely known. With the release of QRadar 3124 SIEM devices, a QRadar 1624 Event Processor, and a QRadar 1724 Flow Processor - all of which contain 16TB of storage memory and 64GB of RAM - organizations can support more users, achieve higher performance, and save data for longer.

• An intelligent storage policy management system that allows organizations to determine how much information they want to store and for how long. Less important data can be deleted earlier to be able to store more important data longer.

• Virtual devices that enable end-user customers and service providers to benefit from the virtual infrastructures they create, while taking advantage of less expensive and fully functional intelligence solutions for security.

Planned integration modules (pairing modules or device support modules) will be delivered in conjunction with QRadar Security Information Event Management (SIEM) and QRadar Log Manager at no additional cost and through automatic updates.

IBM Security QRadar SIEM

IBM Security QRadar SIEM is a system for registering events on endpoints and applications distributed on the network.

IBM Security QRadar SIEM logs events from thousands of endpoints and applications distributed on the network. This system performs instant normalization and identifies a link between actions on raw data to distinguish real threats from false positives. In one version, this software includes IBM Security X- Force Threat Intelligence, which creates a list of potentially malicious IP addresses, including addresses of computers with malware, spam sources and other threats. IBM Security QRadar SIEM can also map threats to systems to events and data from the network to prioritize security incidents.

Screenshot of the application window

Functionality

• Displays near-real-time events for threat detection and prioritization, allowing you to view your entire IT infrastructure.
• Reduce alarms and prioritize them to focus on investigating the action list for suspicious events.
• Better manage threats and generate detailed reports on data access and user actions.
• Supports easy and fast installation and provides time-saving tools and features.
• Generate data access and user activity reports to manage compliance.
• Detection of misuse of applications, internal fraud and modern small threats that can be overlooked among millions of events.
• Collect logs and events from multiple resources, including security devices, operating systems, applications, databases, and access and identity control systems.
• Collect network flow data, including Layer 7 (application layer) data from switches and routers.
• Obtaining information from access and identity control systems and infrastructure services such as Dynamic Host Configuration Protocol (DHCP) and obtaining information from vulnerability scanners in the network and applications.
• Perform instant normalization of events and correlate them with other data from threat detection, compliance reporting, and auditing.
• Reduce the number of events and flows from billions to a small number of real violations and prioritize them according to the threat to business.
• Define baseline characteristics and detect anomalies to identify changes in behavior related to applications, computers, users, and network segments.
• Use the optional IBM Security X- Force Threat Intelligence software to identify actions related to suspicious IP addresses, such as suspected malicious activity.
• Monitor serious incidents and threats and provide links to all required data and associated situations for better analysis.
• Search events and data streams in near-real-time flow mode or search stored data to improve analytics.
• Add-on in the form of IBM Security QRadar QFlow and IBM Security QRadar VFlow Collector devices to gain in-depth understanding and better mapping of applications (e.g., applications that manage enterprise resources), databases, collaboration products, and social networks through Layer 7 network flow analysis.
• Detect out-of-hours activity or detect unusual use of applications or cloud services, and network activity that does not match saved usage patterns.
• Perform a combined search in large distributed environments.
• Automatically discover most of the sources that provide logs and monitor network flows to find and classify computers and servers, and track the applications, protocols, services, and ports they use to save significant time.
• Use a centralized user interface with role-based access to features and a single view to access near-real-time analytics, incident management, and reporting.
• Group network stream records into a single record for a short time to reduce disk space usage and meet license requirements.
• Track all data access to clients by name and IP address to ensure compliance with privacy policies.
• Use an intuitive reporting module that does not require special databases and special reporting skills.
• Ensure transparency, accounting, and measurability for compliance and compliance reporting.

History

2024: IBM QRadar can be used to penetrate the perimeter. FSTEC Warning

FSTEC issued a warning on August 19 about IBM fixing a critical vulnerability in the IBM QRadar Suite product, which is used to analyze messages from security systems - SIEM. The detected error received the BDU:2024-06268^[1] code] and the highest danger level of 10 out of 10 according to the CVSS classification, since it allows you to execute malicious code remotely, without interacting with the user and quite easily. There is already a public exploit and updates for the vulnerability - the QRadar version 1.10.24.0^[2] has been fixed.

The vulnerability can CVE-2024-39008 pose a real threat to companies using QRadar, because to exploit this vulnerability, attackers do not need to have direct access via the Internet, "warned TAdviser readers Boris Larin, a leading expert at Kaspersky GReAT, Kaspersky Lab. - Domestic companies should be extra vigilant and check that the vulnerable NPM library fast-loops is not used in any other software used within the company, especially in software developed by the organization itself, including for internal use.

The fact is that a vulnerability of uncontrolled change in the attributes of the prototype object was discovered in one of the utilities of the IBM QRadar Suite called robinweser. It uses the fast-loops library, which allows you to overwrite the __ proto __ attribute when processing JSON files. As a result, attackers have the opportunity using a specially crafted JSON file to either disable the system or execute code written to the corresponding attribute of the object. Moreover, it is not necessary to transfer a malicious file to an SIEM system - it will capture it on the perimeter itself with the help of its sensors and process it inside. That is, this vulnerability can be used to run malicious code already inside the company to penetrate the perimeter.

On the other hand, if we recall the global failure caused by the release of incorrect updates from CrowdStrike, the situation for our country in terms of risks is more favorable, says Boris Larin. - This is due to the fact that in Russian companies, the most common domestic SIM and EDR solutions, which are in no way inferior, but, as a rule, on the contrary, surpass foreign counterparts.

However, there are still clients in Russia who use Russian protective equipment on the perimeter, and foreign ones inside, since they consider them more reliable and of high quality. However, in the event of a discovered vulnerability, this can be dangerous, since even with a nearby Russian SIEM system, QRadar will execute malicious code as soon as it tries to process the corresponding file.

The vulnerability was discovered in the library (5.2 million downloads every month), which is also used in IBM QRadar, - explained for TAdviser Sergey Tarasov, head of the vulnerability analysis group of the Positive Technologies security expert center. - Despite the fact that, as a rule, there is no direct access to SIEM systems from the Internet, the product may be of interest to cybercriminals, as, in fact, all information protection tools. SIEM is a valuable source of data, which means that after gaining access to the system, a hacker can get this information or disrupt the SOC service, "blinding" it.

The compensatory measures offered by FSTEC to protect against vulnerability without the possibility of installing updates are minimal this time:

• Use firewall tools to limit the ability to send network packets to a vulnerable software product.
• Use virtual private networks to organize remote access (VPN).

Like any key system in the company, SIEM should be protected from the actions of attackers by restricting network access to it only for authorized groups of employees, adds Sergey Tarasov to the recommendations of FSTEC. - If you are using a vulnerable product, update it immediately. At the same time, do not forget about the risks of updating systems, the manufacturers of which left the Russian market.

In addition, it is worth controlling the interaction of the server where QRadar is installed with the Internet. In this traffic, it is necessary to identify and block attempts to communicate with control servers using various hidden channels. If signs of such communications are found, then a full investigation of the incident must be carried out.

2021: Fixing a vulnerability that allows an attacker to send requests on behalf of the system

IBM has fixed a vulnerability in QRadar SIEM discovered by Positive Technologies, which was last reported on March 9, 2021.

The vulnerability could be used to attack companies' internal networks.

The servers SSRF vulnerability identified in IBM QRadar SIEM by Positive Technologies expert Mikhail Klyuchnikov has an average hazard level (5.4 on the CVSS scale).

The error received a CVE-2020-4786 ID. By exploiting it, an attacker can send requests on behalf of the system, obtain information about the network infrastructure, and thus simplify the conduct of other attacks.

Using this vulnerability, an authorized attacker can send requests for some protocols on behalf of the server both to the internal network and to the external network, explains Mikhail Klyuchnikov. - When sending requests to an internal network, he can get information about network nodes and their open ports, that is, learn more about this network. In addition, in some cases, an attacker can exploit known vulnerabilities in software that is located on the internal network, which will allow him to develop his attack.

The problem affects IBM QRadar SIEM versions 7.4.2 GA to 7.4.2 Patch 1, 7.4.0 to 7.4.1 Patch 1 and 7.3.0 to 7.3.3 Patch 5. To fix the vulnerability, you need to update the product to the latest versions in accordance with the manufacturer's recommendations.

2018: Dangerous vulnerabilities discovered in IBM QRadar platform

Security researcher Pedro Ribeiro has discovered^[3] in the IBM QRadar 3 platform dangerous vulnerabilities that, when used together, allow a remote unauthenticated attacker to execute arbitrary commands with superuser privileges^[4].

Vulnerabilities are assigned a common CVE-2018-1418 identifier. According to experts, QRadar has a built-in application for analyzing files. The application is disabled in the Community Edition, but its code has not been completely removed and some of it is still running.

The application has two components: the Java servlet and the main PHP component. The first component has a vulnerability that can be used to bypass authentication, and the second has a problem that allows arbitrary commands to be executed. In addition, Ribeiro discovered a third vulnerability that could be exploited to elevate privileges.

According to IBM, the vulnerabilities affect QRadar SIEM 7.3.0 - 7.3.1 Patch 2 and QRadar SIEM 7.2.0 - 7.2.8 Patch 11. Related patches are included in versions 7.3.1 Patch 3 and 7.2.8 Patch 12.

2017: Cisco and IBM join forces on cybercrime

Cisco and IBM Security have joined forces to jointly confront the growing threat of global cybercrime. According to the agreement signed in June 2017, Cisco and IBM Security will work closely for customers in the field of product and service integration and threat analysis.

To protect organizations at the network, endpoint, and cloud levels, Cisco information security solutions will be integrated with the IBM QRadar platform. Another important aspect of cooperation for customers is the large-scale support of Cisco products by IBM Global Services as part of the Managed Security Service Provider (MSSP) offerings. The agreement also provides for new principles of interaction between the research units of IBM X-Force and Cisco Talos, which will begin to cooperate in the field of threat analysis and coordinate actions on major security incidents.

Cisco's architectural security offerings, combined with IBM Cognitive Security Operations platform, will improve customer protection across all areas-from the network to endpoints to the cloud. In the course of cooperation, Cisco will develop a number of applications for the IBM QRadar security analytical platform. The priority new applications include two that will help security services recognize and repel advanced threats. They will be available in the IBM Security App Exchange system. Thus, users working with Cisco Next-Generation Firewall (NGFW), Next-Generation Intrusion Protection System (NGIPS), Advanced Malware Protection (AMP) Threat Grid solutions and technologies will be able to quickly identify incidents and more effectively eliminate their consequences.

In addition, the IBM Resilient Incident Response Platform (IRP) and Cisco Threat Grid will be integrated to provide security services with the intelligence they need to accelerate incident response. Thus, IRP analysts will be able to search for compromise indicators using the Cisco Threat Grid and power suspicious software in a sandbox. At the time of triggering, specialists will receive important data on the threat.

Threat Analysis and Managed Services

The goal of joint research, which will involve leading specialists from IBM X-Force and Cisco Talos, will be the most pressing cybersecurity problems facing the common customers of both companies. For such customers, IBM will integrate X-Force Exchange and Cisco Threat Grid, which will significantly expand the historical and operational horizons of threat analysis, while specialists can compare the received data for in-depth analysis.

Thus, Cisco and IBM exchanged analytical data during the recent reflection of attacks by the WannaCry ransomware virus. The services of both companies coordinated their response and transmitted information to each other about the spread of the virus. Cooperation will continue to ensure that common customers and the entire industry receive the latest data.

As part of the expansion, IBM Managed Security Services, which manages security services for 3,700 customers worldwide, will work with Cisco to offer new services to further simplify security. One of the first solutions is for the growing hybrid cloud market. With enterprise customers transferring information security infrastructure to public and private cloud providers, IBM Security will provide managed security services with support for Cisco security platforms to leading public cloud services.

2015

Access to IBM Security QRadar

On December 11, 2015, IBM announced open access to the IBM Security QRadar security analysis platform. At the same time, the IBM Security Exchange online platform began to work, focused on the community of security specialists, where they can develop and share applications based on IBM technologies .

Providing access to an analytical security platform is IBM's second step in 2015, aimed at stimulating industry collaboration and promoting innovation to combat cybercrime. The company previously published 700 TB of threat data on the IBM X-Force Exchange platform. Since its launch in April 2015, more than 2,000 organizations have joined the platform. With open access to an analytical security platform and a threat data archive, companies will be able to share information and experience with each other, which will allow them to be one step ahead of cybercriminals.

IBM and partners, including Bit9 + Carbon Black, BrightPoint Security, Exabeam and Resilient Systems, have already downloaded dozens of client-developed applications into IBM Security App Exchange. They help complement the analytical data contained in IBM Security QRadar with tools for assessing user behavior, information from end devices, and attack modeling. New applications take advantage of open programming interfaces (APIs) for IBM QRadar. Data analytics and platform-based threat intelligence help detect security breaches in thousands of security centers around the world, including half of the Fortune 100 companies.

IBM Security QRadar release

On December 11, 2015, IBM announced the release of the IBM Security QRadar version, which analyzes the company's IT infrastructure data and identifies potential security threats.

QRadar will help users create algorithms that automatically perform the necessary actions when specific threats are detected. For example, an algorithm created using QRadar can automatically start blocking IP addresses and control user access based on a risk profile. Apps developed with the QRadar scheme can use personalized algorithms to automatically respond to threats.

IBM continued to integrate QRadar with IBM BigFix to help users more effectively counter threats in order of priority and fix vulnerabilities on their devices. Now QRadar can identify unprotected end devices that do not have BigFix installed and help users find crackers or unmanaged resources faster.

Notes