Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Building a Next-Gen SOC with IBM QRadar

You're reading from   Building a Next-Gen SOC with IBM QRadar Accelerate your security operations and detect cyber threats effectively

Arrow left icon
Product type Paperback
Published in Jun 2023
Publisher Packt
ISBN-13 9781801076029
Length 198 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Ashish Kothekar Ashish Kothekar
Author Profile Icon Ashish Kothekar
Ashish Kothekar
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Part 1: Understanding Different QRadar Components and Architecture
2. Chapter 1: QRadar Components FREE CHAPTER 3. Chapter 2: How QRadar Components Fit Together 4. Chapter 3: Managing QRadar Deployments 5. Part 2: QRadar Features and Deployment
6. Chapter 4: Integrating Logs and Flows in QRadar 7. Chapter 5: Leaving No Data Behind 8. Chapter 6: QRadar Searches 9. Chapter 7: QRadar Rules and Offenses 10. Part 3: Understanding QRadar Apps, Extensions, and Their Deployment
11. Chapter 8: The Insider Threat – Detection and Mitigation 12. Chapter 9: Integrating AI into Threat Management 13. Chapter 10: Re-Designing User Experience 14. Chapter 11: WinCollect – the Agent for Windows 15. Chapter 12: Troubleshooting QRadar 16. Index 17. Other Books You May Enjoy

Other QRadar components

Along with the collectors, processors, and Console, we have a few more feature-rich components that we will look at next. Some of the components that we will discuss are managed hosts, while the QRadar Packet Capture component is an unmanaged host.

Let’s get started and discuss each component in detail.

QRadar Network Insights

QRadar Network Insights (QNI) is another QRadar component that is used for capturing flow data. Now, it might be interesting to know why we have QNI when we already had a Flow Collector and Flow Processor, which were also meant to capture flow data.

The Flow Collector and Flow Processor have a service called qflow, which is responsible for collecting flow data. qflow captures the first 64 bytes of the packet and not the complete payload. This is done to extract important information from packet data. If complete packet data is saved on the Flow Processor, the amount of network packet data would be so huge that it would fill up the Flow Processor in days, if not hours. So, it is practical to capture the first 64 bytes of packet information and store it.

QNI as an appliance (we will learn what an appliance is and how it is different from software installs in Chapter 2,) has special hardware to capture huge chunks of data, process that data, extract metadata, and send it to the processor for storage. So, if the same packet capture is sent to QNI, it can capture more data than qflow will capture with the first 64 bytes of information. For example, if the payload contains information that a user tried to access Facebook or tried to upload a file on Dropbox, QNI be able to capture the hash of the file that is uploaded (if available in the payload). This hash value can then be used by QRadar to determine whether it is a known threat by comparing the hash value of the file to the threat intelligence feeds it has.

In short, QNI provides us with more detailed information about the same packet capture compared to the information if Flow Collector/Processor is used using qflow.

In a single deployment, there can be multiple QNIs installed. QNI captures the packets and sends the information/insights to the processor/Console in IPFIX format. As the insights from QNI are more detailed, granular rules can be created, providing better security coverage.

QRadar Incident Forensics

Till now, we have talked about managed hosts, which are deployed in the QRadar environment for collecting and processing data in terms of events and flows. When it comes to forensics and deep diving into a security incident, QRadar Incident Forensics (QRIF) comes into the picture.

A security incident, such as financial fraud, would require an in-depth investigation of all activities that took place over a period of time. QRIF helps in reconstructing network sessions from the packet capture available.

For example, last Friday night, someone in a bank environment downloaded a script on the server and ran it. After a while, some of the accounts were compromised and a transfer of funds took place. From events and flows, a preliminary analysis can be done. But if there was complete packet capture available from the span port on the switch where the server was connected, QRIF could recover and reconstruct the complete session based on the source and destination IP address (or any other query), and a web session showing the exact actions of the threat actor can be seen.

QRadar Packet Capture

If QRIF can reconstruct the complete sessions, it will require complete packet captures to be stored from the time of the incident. This is where QRadar Packet Capture (QPCAP) comes into the picture. QPCAP is not a managed host. This can be placed in the network where the capture port of QPCAP can collect the network packets and store them. Network packets can fill up QPCAP very quickly. So, it has large storage space and special hardware for direct I/O disk access.

Typically, QPCAP is configured to capture and store network packet data for 7 days. If needed, multiple packet captures can be used as per the requirement.

QRadar Vulnerability Manager

Along with event data and flow data, another important aspect of information from the point of view of security is the vulnerability data of the assets in the environment. Administrators should have information on the assets available and how vulnerable these assets are. QRadar Vulnerability Manager (QVM) performs active and passive scans on the assets in the network.

For example, a QVM scan can be run periodically to understand whether the patching of all Microsoft servers is completed. It helps in determining the security posture of an organization.

QVM is a complete asset management tool right from discovering assets to running remediation reports for those assets. For this, QVM seamlessly integrates with other products such as BigFix and IBM SiteProtector.

Figure 1.3 – Assets tab

Figure 1.3 – Assets tab

In the preceding figure, the assets database can be seen. Each asset will have a unique ID, domain information, and vulnerability information associated with it.

Figure 1.4 – Vulnerabilities tab

Figure 1.4 – Vulnerabilities tab

In the preceding figure, a scan is run twice over a period. There are eight assets that were scanned both times, but the number of vulnerabilities is different. This indicates that over a period of time, new vulnerabilities were found for the same assets.

QRadar Risk Manager

QRadar Risk Manager (QRM) is a managed host that collects configuration information from the network devices in the environment. This information is then pictorially depicted in the form of network topology.

For example, in a typical data center, there are multiple network devices such as routers, firewalls, intrusion prevention devices, and so on. QRM pulls the configuration details from all the network devices and creates network topology graphs. It can also simulate any changes in the policies by calculating the risk to the environment.

Figure 1.5 – Risks tab

Figure 1.5 – Risks tab

QRM can integrate with QVM. Risk policies can be defined on QRM. To give an example of a risk policy in QRM, a policy can be defined to find out whenever there is web traffic, but it is not HTTPS traffic. That means, whenever there is web traffic on HTTP, the policy triggers, and the information related is collected by QRM. This information is useful to change the vulnerability risk scores of the assets involved. Whenever risk scores are changed in QVM, alerts can be generated via email or dashboard alerts to get higher visibility on the high-risk assets.

The Risk Manager tab shows information about the network devices in the environment. In the upcoming versions of QRadar, QRM and QVM will be part of a single appliance and will be sold as a single solution. But the fundamentals of both QRM and QVM remain the same, as discussed in this chapter.

QRadar App Host

On QRadar, just like on our Android or Apple phones, there are applications, or apps, that can be installed. These applications enhance the usability of QRadar and also provide additional features. All the QRadar apps are publicly available on the QRadar App Exchange portal. Here is the link to the portal: https://exchange.xforce.ibmcloud.com/hub.

In the Understanding the Console section, we covered so many services and tasks that are running on the Console. Installing multiple apps on the Console will add computational overhead in terms of CPU cycles, memory utilization, and the disk space required by the apps. For this reason, we have a component called App Host, where the Console offloads all the apps.

In the following figure, we can see how different components fit together. The QRadar Console is the most important component to which other components are connected for command and control (except QPCAP).

Figure 1.6 – Sample QRadar deployment showing multiple components

Figure 1.6 – Sample QRadar deployment showing multiple components

From Chapter 8 onward, we will discuss at length all the important QRadar apps that can be installed on QRadar.

You have been reading a chapter from
Building a Next-Gen SOC with IBM QRadar
Published in: Jun 2023
Publisher: Packt
ISBN-13: 9781801076029
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image