2011 year 10 month , Network security company Q1 Labs By IBM With 3440 $10000 price acquisition ,Q1 Labs Flag “ star ”SIEM product QRadar（2008 to 2012 Year in Gartner Magic Quadrant SIEM Leadership ） It's also natural that IBM Income pocket , And included in its safety product line .
Many people still have such a misunderstanding ： Unlike IBM Watson like that “ On the tall ”,QRadar It's still just a tool for log analysis and event management . In fact, it is not .
It's not just SIEM
stay IBM Safety to sort out its safety product line , And then we put forward the safe immune system ,QRadar In security intelligence , It's also the location of the center . It itself contains SIEM、 Log management 、 Vulnerability management and risk management and other functional modules . as well as , for example , in the light of QRadar User behavior analysis of (UBA) Function extension , stay Security App Exchange By a partner or IBM by QRadar Developed 61 A feature extension package , In order to QRadar The extension of the function of the product itself and the linkage with the safety equipment of other manufacturers .
Security App Exchange platform
thus it can be seen ,QRadar The function of the present , More than that SIEM So simple . However , because QRadar Itself is made up of SIEM scratch , So for QRadar Speaking of , First of all, it's still the management of logs , Then there was the security incident , And the control of the event response process . meanwhile , Extend the vulnerability 、 Risk management , And the analysis of user behavior . These are all QRadar It's the important ability of , It's also the basis of realizing linkage with safety equipment .
With QRadar As the core of the linkage
QRadar With the traditional SIEM The biggest difference , It's the tradition SIEM It's more about early warning against security incidents , and QRadar More through the linkage with safety equipment , I.e. safety equipment according to QRadar Respond to your instructions , So that the whole enterprise security defense system can be based on the discovery or occurrence of different security events , Real time dynamic defense rule change , Automated response to security events .
Safe immune system
Of course ,QRadar The relationship with the security devices deployed in the enterprise intranet , Not like a “ Tomatoes on sticks ” In the same order , It's more like the headquarters , Behind the corporate security line , Collect information about the war , Analyze the war situation , Even as a command center , deploy forces .
1. Fixing security vulnerabilities —— And BigFix The linkage of
BigFix yes IBM stay 2010 Completed the acquisition of terminal security management software , It's mainly about desktop and asset management , And the distribution of software and security patches . In terms of vulnerability management ,QRadar It has its own module . But the difference is ,QRadar Will take all the holes , Such as terminal 、 All network devices or application vulnerabilities converge to QRadar In the vulnerability management module of , At the same time, it can also access some third-party vulnerability scanning tools . and BigFix In addition to the discovery of loopholes , More focused on the ability to fix security vulnerabilities .
BigFix The source of security vulnerability information is divided into two parts , In itself BigFix It has a vulnerability Library of its own , The patches in the vulnerability library are all official patches issued by the manufacturer . The other part is IBM Of X-Force Threat Intelligence from the platform , For example, a loophole CVE. however , Because intelligence doesn't mean there's a security patch , therefore BigFix There are some researchers to develop some of these vulnerabilities that are not patched for the time being and interact with other devices , Or the method of checking or blocking the exploitation of related vulnerabilities .
With the QRadar In terms of linkage , From the system and software of the terminal , adopt BigFix After the client found that there is a security vulnerability ,QRadar The administrator will be informed of the security vulnerability and the corresponding risk rating , Security administrators can use QRadar To inform BigFix Decide whether to fix ; If you decide to fix it , Patch distribution can be done in BigFix One click execution on the platform .
BigFix And QRadar The linkage of
By installing clients on different terminals ,BigFix Be able to collect the basic information of all the installed software , And feed this information back to QRadar. and QRadar From the server （ Not the terminal ） Perspective , take BigFix Summarize and classify the information given . If you confirm that a server is missing a patch , that QRadar Would pass BigFix And its client implementation vulnerability repair . meanwhile , Administrators can use the BigFix The platform monitors the progress of vulnerability repair in real time . After repair , The repair information will be fed back to QRadar Vulnerability management module of , And change the information of the vulnerability in the system according to the repair results .
Security vulnerability repair or not , The decision is in the hands of the management , They will be based on QRadar Given vulnerability risk level , And whether it will affect the business continuity of the enterprise .
2. X-Force——QRadar The main source of Threat Intelligence
When it comes to security vulnerabilities , We have to talk about threat intelligence . at present QRadar Our threat intelligence source , More through X-Force Access to the platform , It provides samples such as malware 、 malice IP Or malice DNS library ,CVE Information, etc , All are QRadar A very important source of intelligence .
IBM In the world with 12 A security operations center （SOC）, quite a lot SOC Customers are all connected with IBM Signed the relevant agreement , Some security problems found in the operation process , allow IBM Share to X-Force platform , therefore X-Force There's a lot of security data coming from IBM Of SOC, The analysis and utilization of these data has undoubtedly become IBM An important supporting force for safety .
in addition to , And some intelligence from local networks or security devices , for example MaaS360（IBM Software to manage mobile devices ） To confirm whether the employees of the enterprise have escaped from prison or not root. This kind of behavior increases the installed malicious app And is defined as “ Violations ”, So as a vulnerable asset , When this high-risk device accesses internal resources ,QRadar will Be alert .
MaaS360 Yes BYOD Security support
3. Network layer dynamic blocking —— And Network Protection XGS The linkage of
And BigFix comparison ,Network Protection XGS（ hereinafter referred to as XGS）, As a function similar to the traditional IPS In terms of network layer security devices , And QRadar Because of the dynamic configuration of a large number of rules , It's more complicated . Different from firewall's basic rule matching through black and white list ,IPS It is through DPI（ Deep packet detection ）, The packet of network layer is processed 7 Layer analysis , And then find the security threats and achieve blocking action . This is also IPS Its own advantage is .
XGS And QRadar The linkage of
When XGS Access the analyzed data in the form of log QRadar after , adopt QRadar Yes XGS Log and hackers may attack the target device log after comparative analysis , You can clearly know what kind of attack means hackers are using to attack which part of the assets in the enterprise network , And inform the enterprise security administrator at the same time ,QRadar Will order XGS Make corresponding actions with the target device , At the same time, block the access of network layer and target device . for example ,XGS Through the analysis of the data packet, it is determined that the database server is under attack , that Guardium Or other database security products , Will make dynamic changes to the database access control policy , And at the same time XGS Attack at the network layer IP And so on .
In the case of an attack , Network layer and attacked devices , Defense at the same time , This process is also IPS Data on QRadar The significance of .
in addition to , If the enterprise scans the software through a certain vulnerability , Some assets are found to be vulnerable , For example, security vulnerabilities , But because of the special industry , Or relevant manufacturers have not released security patches yet , that QRadar It can also be based on the way this vulnerability is exploited , stay XGS Generate specific rules on , In order to block the related exploit request .
Of course ,IBM We have our own leak scanning products ,AppScan, As a detection tool , Only black box and white box tests can scan the application's logic vulnerabilities , And there's no movement after that , Vulnerability repair needs to be done with BigFix Linkage complete , Or in combination with XGS Block the corresponding behavior .
And AppScan Focus on different logic loopholes ,IBM Secure anti fraud products on the mobile end Trusteer Mobile, It is more inclined to whether there are security vulnerabilities that are maliciously exploited , That is to detect the malicious behavior of the application . Especially in finance , Including phishing mail , malice url、 Malware and malicious websites, etc , meanwhile Trusteer The malicious sample library will also be connected to X-Force platform . Because the target of many exploits is to steal privileged accounts , So after discovering the high-risk behavior of application vulnerability ,Trusteer Also through QRadar And privilege account management module （PIM） Linkage .
In addition to vulnerability repair BigFix And dynamic blocking in the network layer XGS, Talk again QRadar and IBM Database security products Guardium Two way integration of .
4. Database access control and account permission change —— And Guardium And identity management and authentication platform (IAM) The linkage of
Before 《Guardium Detailed explanation of database security technology 》 It's also mentioned in this article QRadar and Guardium Two way integration of .Guardium As a product of database security , It often involves the management of privileged accounts . Many domestic customers choose to use fortress machine to control the account and its authority , And auditing user behavior , This function IBM There are also corresponding identity and access control products （PIM） To achieve .
QRadar And Guardium Two way integration of
QRadar and Guardium Two way integration of , The main purpose is to avoid the security risks caused by the wrong configuration and vulnerability of database assets . adopt Guardium Real time return of database activity log ,QRadar The database activity information can be used for context analysis , Identify and prevent attacks . meanwhile ,QRadar You can also order , take XGS And so on security equipment analysis can IP Message to Guardium, And order it to block from this IP Address access to the database . If this IP It's used by people inside an enterprise , Then the corresponding account can also be accessed through QRadar and PIM To adjust the account permissions , And more stringent security policies .
for example , Someone logs into the database with a privileged account （ After login, the desktop will be automatically PIM Recording screen ）, After executing the query statement and getting the relevant data , And the database operation records are cleared .Guardium It will be judged as malicious or aggressive , After that, all operations on the database will be Guardium block , meanwhile QRadar requirement PIM The mandatory requirement of double factor authentication is added to its login , At the same time order XGS Block all the common terminals of this account when logging into the intranet , And give relevant warning .
In the example above ,QRadar User behavior analysis of （UBA） The module is the support Guardium A very important point to judge ,UBA It needs a lot of rules to judge the user's behavior , After judgment QRadar Through to Guardium、XGS as well as PIM Orders are given almost at the same time , From the account , Network access and database access rights restrict and control high-risk behaviors , In order to realize the protection of enterprise data security .
in addition to ,Qradar Not only with the privilege account management platform (PIM) Integrate , You can also IBM Traditional identity and authentication platform (IAM) Implement integration , To provide enterprises with more in-depth security risk analysis for accounts and permissions . for example , Find the access to the background system by bypassing the unified authentication platform 、 Change of account number and authority 、 Illegal sharing of core accounts , As well as the access to sensitive data of the original position after the employee leaves and changes his post .
In addition to the above mentioned , This year, 3 month IBM Just finished the acquisition Resilient System And QRadar The linkage of , It's a good complement “ Event response ” This link , So that QRadar At the heart of IBM The safe immune system really has a SOC What tools need to have “ defense + testing + Respond to ” These three abilities .
5. Automation of event response work order process —— and Resilient System The linkage of
Resilient The event response to , It's more about the whole workflow of a security operation center , It's the automation of the work order process , It's not like XGS、Guardium A security product in a specific area .
stay QRadar In the integration Resilient System
What is the work order process of security incidents like ？ Here is a simple example .
Administrator through QRadar Saw an attack , Including attacking the public network itself ip, The target of the attacker and the security vulnerability exploited by the attack . After a security incident , The responses that need to be made include blocking 、 Vulnerability repair and other operations , And these all need a work order process to do . At this time Resilient Will tell the security administrator that this is a number XXX Security incidents , At what level is the security risk of this event , It's responsible for （ Assuming that ） Wang Gong , He needs to analyze and deal with this incident . If this is a site security issue , Wang Gong will inform Xiao Liu, the site administrator . Xiao Liu found that it was a security loophole , Inform the operation and maintenance personnel of the server, Xiao Li, to make a patch on the server . Xiao Li finally asked Xiao Zhang to call BigFix To fix this security vulnerability .
This is a standard work order process , It describes the process of handling a security event , It takes different people to get involved .
Of course , The security administrator also needs to determine the scope of the security incident , If it affects the enterprise's customers , We should inform the relevant departments to compensate and apologize for it , For partners, let me know , For the regulatory authorities, they have to report . Although each country and industry has different standards for this process , however Resilient Can also be handled . meanwhile , This process may also involve suppliers outside the enterprise , Is there a compliance requirement for the data available to suppliers , For example, some business data need to be encrypted or desensitized , And the protection of some users' privacy , These are all Resilient in question .
Enterprise security administrator through QRadar Security issues found , Can pass Resilient In an almost automatic way , Docking with relevant safety equipment , And pass QRadar Real time monitoring of the implementation progress of the whole work order process .
QRadar stay SOC Positioning in
QRadar And it's with IBM Linkage of safety product line , And the formation of this set of security defense 、 Security system of security detection and response , Is it a complete security operation center ？IBM I don't think so , Reason is that QRadar No, “ The brain ”, It's not yet able to automate everything , At the same time, the security system still needs security analysts to make decisions . in other words , After a security incident , It's still up to someone to decide how to deal with 、 Respond to , and QRadar It can only be said that SOC It's one of the better tools to use in .
It's like a hospital , Even if there's a blood routine 、B super 、 cerebral CT Wait for the inspection report , They just help doctors to make a more accurate judgment of the patient's condition , But the final diagnosis and prescription , It's up to the doctor to decide and prescribe . lately IBM Advocated by the “ Cognitive security ” So it is with , Although it's constantly learning how to look at natural language texts from a security perspective , But its goal at this stage is to reduce the skill defects of enterprise security analysts , And greatly reduce the time cost for security analysis , But it is far from being a substitute for security analysts to make decisions .
IBM Watson Assist the doctor in making a diagnosis
however , You can see ,QRadar stay 2012 in IBM Since the safety product line , It is no longer traditional in itself SIEM So simple , But as a IBM The real core of the safe immune system ,“ command ” It's all over the place IBM Safety product line .
Safety bull review
IBM The biggest advantage , It lies in the accurate grasp and judgment of the future trend development , as well as IBM After the acquisition of the leading security companies in various security fields , Strong ability to integrate its products . Through acquisition , Not only from the product category or function of the whole IBM Safety product line , At the same time, it also forms an organic linkage with other safety products . This has undoubtedly made IBM The unique synergistic effect of safe immune system .