Book Image

Building a Next-Gen SOC with IBM QRadar

By : Ashish M Kothekar
Book Image

Building a Next-Gen SOC with IBM QRadar

By: Ashish M Kothekar

Overview of this book

This comprehensive guide to QRadar will help you build an efficient security operations center (SOC) for threat hunting and need-to-know software updates, as well as understand compliance and reporting and how IBM QRadar stores network data in real time. The book begins with a quick introduction to QRadar components and architecture, teaching you the different ways of deploying QRadar. You’ll grasp the importance of being aware of the major and minor upgrades in software and learn how to scale, upgrade, and maintain QRadar. Once you gain a detailed understanding of QRadar and how its environment is built, the chapters will take you through the features and how they can be tailored to meet specifi c business requirements. You’ll also explore events, flows, and searches with the help of examples. As you advance, you’ll familiarize yourself with predefined QRadar applications and extensions that successfully mine data and find out how to integrate AI in threat management with confidence. Toward the end of this book, you’ll create different types of apps in QRadar, troubleshoot and maintain them, and recognize the current security challenges and address them through QRadar XDR. By the end of this book, you’ll be able to apply IBM QRadar SOC’s prescriptive practices and leverage its capabilities to build a very efficient SOC in your enterprise.
Table of Contents (18 chapters)
Part 1: Understanding Different QRadar Components and Architecture
Part 2: QRadar Features and Deployment
Part 3: Understanding QRadar Apps, Extensions, and Their Deployment

Other QRadar components

Along with the collectors, processors, and Console, we have a few more feature-rich components that we will look at next. Some of the components that we will discuss are managed hosts, while the QRadar Packet Capture component is an unmanaged host.

Let’s get started and discuss each component in detail.

QRadar Network Insights

QRadar Network Insights (QNI) is another QRadar component that is used for capturing flow data. Now, it might be interesting to know why we have QNI when we already had a Flow Collector and Flow Processor, which were also meant to capture flow data.

The Flow Collector and Flow Processor have a service called qflow, which is responsible for collecting flow data. qflow captures the first 64 bytes of the packet and not the complete payload. This is done to extract important information from packet data. If complete packet data is saved on the Flow Processor, the amount of network packet data would be so huge that it would fill up the Flow Processor in days, if not hours. So, it is practical to capture the first 64 bytes of packet information and store it.

QNI as an appliance (we will learn what an appliance is and how it is different from software installs in Chapter 2,) has special hardware to capture huge chunks of data, process that data, extract metadata, and send it to the processor for storage. So, if the same packet capture is sent to QNI, it can capture more data than qflow will capture with the first 64 bytes of information. For example, if the payload contains information that a user tried to access Facebook or tried to upload a file on Dropbox, QNI be able to capture the hash of the file that is uploaded (if available in the payload). This hash value can then be used by QRadar to determine whether it is a known threat by comparing the hash value of the file to the threat intelligence feeds it has.

In short, QNI provides us with more detailed information about the same packet capture compared to the information if Flow Collector/Processor is used using qflow.

In a single deployment, there can be multiple QNIs installed. QNI captures the packets and sends the information/insights to the processor/Console in IPFIX format. As the insights from QNI are more detailed, granular rules can be created, providing better security coverage.

QRadar Incident Forensics

Till now, we have talked about managed hosts, which are deployed in the QRadar environment for collecting and processing data in terms of events and flows. When it comes to forensics and deep diving into a security incident, QRadar Incident Forensics (QRIF) comes into the picture.

A security incident, such as financial fraud, would require an in-depth investigation of all activities that took place over a period of time. QRIF helps in reconstructing network sessions from the packet capture available.

For example, last Friday night, someone in a bank environment downloaded a script on the server and ran it. After a while, some of the accounts were compromised and a transfer of funds took place. From events and flows, a preliminary analysis can be done. But if there was complete packet capture available from the span port on the switch where the server was connected, QRIF could recover and reconstruct the complete session based on the source and destination IP address (or any other query), and a web session showing the exact actions of the threat actor can be seen.

QRadar Packet Capture

If QRIF can reconstruct the complete sessions, it will require complete packet captures to be stored from the time of the incident. This is where QRadar Packet Capture (QPCAP) comes into the picture. QPCAP is not a managed host. This can be placed in the network where the capture port of QPCAP can collect the network packets and store them. Network packets can fill up QPCAP very quickly. So, it has large storage space and special hardware for direct I/O disk access.

Typically, QPCAP is configured to capture and store network packet data for 7 days. If needed, multiple packet captures can be used as per the requirement.

QRadar Vulnerability Manager

Along with event data and flow data, another important aspect of information from the point of view of security is the vulnerability data of the assets in the environment. Administrators should have information on the assets available and how vulnerable these assets are. QRadar Vulnerability Manager (QVM) performs active and passive scans on the assets in the network.

For example, a QVM scan can be run periodically to understand whether the patching of all Microsoft servers is completed. It helps in determining the security posture of an organization.

QVM is a complete asset management tool right from discovering assets to running remediation reports for those assets. For this, QVM seamlessly integrates with other products such as BigFix and IBM SiteProtector.

Figure 1.3 – Assets tab

Figure 1.3 – Assets tab

In the preceding figure, the assets database can be seen. Each asset will have a unique ID, domain information, and vulnerability information associated with it.

Figure 1.4 – Vulnerabilities tab

Figure 1.4 – Vulnerabilities tab

In the preceding figure, a scan is run twice over a period. There are eight assets that were scanned both times, but the number of vulnerabilities is different. This indicates that over a period of time, new vulnerabilities were found for the same assets.

QRadar Risk Manager

QRadar Risk Manager (QRM) is a managed host that collects configuration information from the network devices in the environment. This information is then pictorially depicted in the form of network topology.

For example, in a typical data center, there are multiple network devices such as routers, firewalls, intrusion prevention devices, and so on. QRM pulls the configuration details from all the network devices and creates network topology graphs. It can also simulate any changes in the policies by calculating the risk to the environment.

Figure 1.5 – Risks tab

Figure 1.5 – Risks tab

QRM can integrate with QVM. Risk policies can be defined on QRM. To give an example of a risk policy in QRM, a policy can be defined to find out whenever there is web traffic, but it is not HTTPS traffic. That means, whenever there is web traffic on HTTP, the policy triggers, and the information related is collected by QRM. This information is useful to change the vulnerability risk scores of the assets involved. Whenever risk scores are changed in QVM, alerts can be generated via email or dashboard alerts to get higher visibility on the high-risk assets.

The Risk Manager tab shows information about the network devices in the environment. In the upcoming versions of QRadar, QRM and QVM will be part of a single appliance and will be sold as a single solution. But the fundamentals of both QRM and QVM remain the same, as discussed in this chapter.

QRadar App Host

On QRadar, just like on our Android or Apple phones, there are applications, or apps, that can be installed. These applications enhance the usability of QRadar and also provide additional features. All the QRadar apps are publicly available on the QRadar App Exchange portal. Here is the link to the portal:

In the Understanding the Console section, we covered so many services and tasks that are running on the Console. Installing multiple apps on the Console will add computational overhead in terms of CPU cycles, memory utilization, and the disk space required by the apps. For this reason, we have a component called App Host, where the Console offloads all the apps.

In the following figure, we can see how different components fit together. The QRadar Console is the most important component to which other components are connected for command and control (except QPCAP).

Figure 1.6 – Sample QRadar deployment showing multiple components

Figure 1.6 – Sample QRadar deployment showing multiple components

From Chapter 8 onward, we will discuss at length all the important QRadar apps that can be installed on QRadar.