Book Image

Building a Next-Gen SOC with IBM QRadar

By : Ashish M Kothekar
Book Image

Building a Next-Gen SOC with IBM QRadar

By: Ashish M Kothekar

Overview of this book

This comprehensive guide to QRadar will help you build an efficient security operations center (SOC) for threat hunting and need-to-know software updates, as well as understand compliance and reporting and how IBM QRadar stores network data in real time. The book begins with a quick introduction to QRadar components and architecture, teaching you the different ways of deploying QRadar. You’ll grasp the importance of being aware of the major and minor upgrades in software and learn how to scale, upgrade, and maintain QRadar. Once you gain a detailed understanding of QRadar and how its environment is built, the chapters will take you through the features and how they can be tailored to meet specifi c business requirements. You’ll also explore events, flows, and searches with the help of examples. As you advance, you’ll familiarize yourself with predefined QRadar applications and extensions that successfully mine data and find out how to integrate AI in threat management with confidence. Toward the end of this book, you’ll create different types of apps in QRadar, troubleshoot and maintain them, and recognize the current security challenges and address them through QRadar XDR. By the end of this book, you’ll be able to apply IBM QRadar SOC’s prescriptive practices and leverage its capabilities to build a very efficient SOC in your enterprise.
Table of Contents (18 chapters)
1
Part 1: Understanding Different QRadar Components and Architecture
5
Part 2: QRadar Features and Deployment
10
Part 3: Understanding QRadar Apps, Extensions, and Their Deployment

QRadar Components

We live in a digital age in which the paradigms of security have changed. In the past, wars were fought on battlefields. Now, digital space is where the security of a nation-state, an enterprise, or an individual is threatened. Gartner predicts that by 2025, cyber attackers will use weaponized technology to harm or kill humans. Earlier, cyberattacks were restricted to things such as denial of services, information theft, and ransomware.

These cyberattacks have a heavy financial toll (billions of dollars), cause disruption in production, cause intellectual property to be stolen, and eventually, the brand reputation is tarnished. This is a never-ending battle in this digital age. Security vendors have come up with hundreds of security products and solutions to counter these cyberattacks. IBM has been at the forefront and is leading the security space with top-of-the-line products and solutions.

To understand the impact of a cyberattack, we just have to look a few years back at what happened with Ashley Madison. Ashley Madison was a dating app for those who were married, and the slogan they used to advertise then was “Life is short. Have an affair.” Not surprisingly, the service had 37 million subscribers.

And then the unthinkable happened for the subscribers of the site. Ashley Madison used the weakest password encryption algorithm, and it was easily hacked. A hacker group called the Impact Group gave Ashley Madison 30 days to pay a ransom. As Ashley Madison did not pay, on the 30th day, they released about 60 GB of data with the names, email addresses, credit card numbers, and other details of the subscribers on the dark net. Soon, the media and the crooks started looking for famous personalities to hold them for ransom. The hack soon became public knowledge, leading to a large number of breakups, divorces, and even suicides. The financial implications of such breaches are unaccountable. The site and the brand of Ashley Madison were damaged permanently.

The point that needs to be understood from this scenario is that security breaches can cost lives, and hence any organization (whether it be a dating website, a bank, or a telecom company) needs to be on top of its game when it comes to security.

IBM QRadar is a solution suite that provides enhanced threat intelligence and insights into cyberattacks. These insights help organizations automate responses to threats and also help in devising new strategies to counter cyberattacks. An organization uses hundreds of enterprise solutions and security products from different vendors, such as firewalls, Endpoint Detection Response (EDR), Intrusion Prevention System (IPS), Data Loss Prevention (DLP), and so on. IBM QRadar seamlessly integrates with all these products, consumes all the security data from them, and provides security alerts or insights that are actionable.

In this book, we will learn more about how to build your next-generation Security Operations Center (SOC) using the IBM QRadar solution suite. To understand IBM QRadar and how it functions, it is important to understand the different components. We call all these different QRadar components managed hosts (apart from the Console).

In this chapter, we will discuss various QRadar services for each component, which should be a good starting point to design the architecture for your SOC. As per different requirements, different components can be used in the deployment. Various aspects such as deployment types, scaling, upgrades, and licensing are discussed in corresponding chapters. In this chapter, however, we’re going to cover the following main topics:

  • Understanding the QRadar Console
  • Exploring event data
  • Exploring flow data
  • Getting to know the Data Node
  • Investigating QRadar components