IBM Security Systems

Vulnerability Management and Asset Profiling in

IBM QRadar SIEM

- Boudhayan Chakrabarty.
- Praphulla S. Mujumdar.

9/24/14

©
1 2014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Agenda ::
1. Vulnerability Management
2. Vulnerability Management Challenges
3. Types of Vulnerability Scanning
4. Different type of scanners supported ( Active Scanner )
5. Scheduling a Vulnerability Scan
6. Viewing a status of Vulnerability Scan
7. Asset Profiles
8. Sources updating Asset Database
9. Troubleshooting Asset Profiles
10. Demo
11. Question and Answer
12. Thanks !!

©
2 2014 IBM Corporation
2 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Vulnerability Management ::

What's a need of Vulnerability Management ?

***It is MUST to scan network infrastructure, servers and end points for bad configurations,
weak settings, un-patched or out of date applications and other key security weaknesses.

***Should ALWAYS meet vulnerability compliance mandates

“Vulnerability scanning is a critical part of a vulnerability management process,

but vulnerability assessment (VA) scanning must be augmented with other
technologies and analytics for enterprises to realize effective protection from
advanced targeted threats.”

- Gartner Vulnerability Management Marketscope 2012

©
3 2014 IBM Corporation
3 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Vulnerability Management Challenges ::

 Many vulnerabilities mitigated from serious threat sources by firewall and IPS
devices
 End point management solutions automatically patch and remediate vulnerabilities
 End point firewalls prevent external access to many vulnerable applications
 Vulnerable applications not in use or even active
 No view of what vulnerabilities are potentially being exploited
 Additional screens and reports to spend time in analyzing
 Additional security infrastructure to deploy and manage
 Multiple scanning points often required
 Multiple vulnerability management technologies required with no single console
 Additional integration effort

©
4 2014 IBM Corporation
4 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Types of Vulnerability Scanning by IBM QRadar SIEM::

- Active scans help with vulnerability Management.
- Passive scans are used for creating assets on traffic in the network that is valid and help in
vulnerability Management.

Active Scanner :
For Vulnerability Assessment ( VA) and maintaining asset profiles, QRadar SIEM integrates
with many active scanners. You can schedule Nessus, Nmap and IBM Security QRadar
Vulnerability Manager scanner directly in QRadar SIEM. For other scanners, you can schedule
the collection of scan results in QRadar SIEM.
Active scanners send transmissions to the network's nodes. Depending on the responses
received we need to evaluate whether a specific node represents a weak point within the
network.
A network administrator can also use an active scanner to simulate an attack on the network,
uncovering weaknesses a potential hacker would spot, or examine a node following an attack to
determine how a hacker breached security.
Active scanners can take action to autonomously resolve security issues, such as blocking a
potentially dangerous IP address.
©
5 2014 IBM Corporation
5 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Provide :
 List of hosts with risks and potential vulnerabilities.
 IP and MAC address.
 Open ports in use.
 Services and version.
 Operating system.

Pros:
 Detailed host information.
 Policy and compliance information.

**We Need Both Active and Passive Scanners as they both Complement each other.

©
6 2014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Passive Scanner :
Passive scanners identify the active operating systems, applications and ports throughout a
network, monitoring activity to determine the network's vulnerabilities. However, while passive
scanners can provide information about weaknesses, they can't take action to resolve security
problems.

This Passive scan present in QRadar can check the current software and patch versions on
networked devices, indicating which devices are using software that presents a potential gateway
for hackers or trojan attacks. It references this information against public databases containing lists
of current patches.

QRadar SIEM uses external references from the open source Vulnerability Database ( OSVDB)
and National Vulnerability Database ( NVDB) to identify found vulnerabilitys. Each vulnerability
is assigned a unique reference identifier, OSVDB ID. In addition,each vulnerability can be
identified by external data references, such as a common vulnerability and Exposures ( CVE ) ID.

©
7 2014 IBM Corporation
7 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Provide :
 IP addresses in use.
 Open ports in use.

Pros :
 Real-time asset profile updates.
 Firewalls have no impact.
 End system cannot hide.
 Policy and compliance information.

**We Need Both Active and Passive Scanners as they both Complement each other.

©
8 2014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Different types of Scanner Supported ( Active Scanners )::

Axis Scanner
Beyound Security AVDS scanner
Digital Defense Inc AVS
eEye REM Scanner
Found Scan Scanner
IBM AppScan Scanner
IBM Guardium SCAP Scanner
IBM Tivoli End Point Manager
Juniper NSM Profiler scanner
McAfee Vulnerability Scanner
NCircle IP360 Scanner
Nessuss Scanner
NMap Scanner
Positive technologies Max Petrol
Qualys Detection scanner
Qualys Scanner
Rapid 7 nexpose scanner
Saint scanner
SecureScout Scanner
Tenable Security Scanner.

©
9 2014 IBM Corporation
9 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Scheduling a vulnerability scan ::

Scan schedules are intervals assigned to scanners that determine when vulnerability
assessment data is imported from external scanning appliances in your network.

Scan schedules can also define CIDR ranges or subnets that are included in the data import
when the vulnerability data import occurs.

Scan schedules are created for each scanner product in your network and are used to retrieve
vulnerability data. There is no limit to the number of scan schedules you can create.
It is often helpful to create multiple scans in your network for vulnerabilities in your
network. Large vulnerability imports can take a long time to complete and are often very
system resource intensive.

A scan cannot be scheduled until after the scanner has been added.

©
102014 IBM Corporation
10 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

QRadar UI >> Admin >> Vulnerability >> VA Scanners >> Add

©
112014 IBM Corporation
11 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Viewing the status of a vulnerability scan ::

The Scan Schedule window provides administrators a status view for when each scanner is
scheduled to collect vulnerability assessment data for asset in the Network.

The name of each scan is displayed, along with the CIDR range, port or port range, priority,
status, and next run time.

1. Click the Admin tab.

2. Click the Schedule VA Scanners icon.
3. Review the Status column to determine the status of your log sources.

The status column for each scanner provides a status message about each successful
vulnerability import or failure.

©
122014 IBM Corporation
12 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Asset Profiles ::
QRadar SIEM maintains asset profiles for system in the network. The profiles track host details, such as these examples :
1) IP address
2) Services listening on open ports
3) Vulnerabilities

In addition to technical asset information, asset profiles track user login to the assets if this information is provided to
QRadar SIEM. Qradar SIEM automatically creates and updates asset profiles for system found in :

DHCP, DNS,VPN, proxy, firewall NAT and wireless AP logs

Passively gathered bidirectional flow

Vulnerability data provided by active scanners

You can create asset profiles manually in the user interface or by import.
QRadar UI >> Assets >> Add Asset Profile

Asset profile information is used for correlation purposes. For example, if an attacker attempts to compromise a certain
service running on a specific asset, QRadar SIEM can determine whether the asset is vulnerable to this attack by
correlating the attack to the asset profile.

©
132014 IBM Corporation
13 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Sources updating Asset Db ::

1. Active Scans : QRadar Vulnerability Manager scanner, Nessue,Nmap, Qualys and others.

2. Passive Scans : Flows from QFlow, or other flow sources in accounting technologies such as
IPFIX/NetFlow, sFlow.

3. Asset Identity information from events.

a. MAC Address : When an asset profile update contains a MAC Address, we will use the
MAC (and MAC alone) to anchor the contents of the profile update to an
existing entry in the database, or to a new entry where no match
currently exists in the database. Its authority is rooted in the assumption
that only a single physical asset will ever appear on a customer network
with any given MAC Address.
b. Username :

©
142014 IBM Corporation
14 04/03/2014 © 2012 IBM Corporation
 IBM Security Systems

Troubleshooting Asset Profiles ::

Asset is an entity with attributes assigned to them. For instance, an asset can have MAC addresses, hostnames, netbios
names, IP addresses, etc. Typically an asset would only have 1 MAC, address, but it could have 2 or more (think a
laptop with a wired and wireless card) and the majority of time they only have 1 hostname and 1 netbios name. They
also can have multiple IP addresses overtime.

Whenever QRadar gets any identity information for any host, irrespective of whether the host is important to you or
not, it will generate an Asset entry. We have seen cases, wherein assets which are not important to you but QRadar has
received identity information about those assets, asset entries for those hosts have been created.

If you want QRadar not to create any entries for such assets (which are not important to you), you can use an Exclude
Identity Parameter for this so that in future, QRadar excludes these assets from Asset Profile.

For example, lets say, the assets that are important to you, their entries have .in.ibm.com as their name. However, you
are also seeing a few assets with the name similar to .xyz.com being created under the Asset Table. They have been
created by QRadar because QRadar had received identity information for those assets. For this, first you need to create
a search as shown in the next slide

©
152014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

The search that we are creating would contain two criteria:

1. Has Identity is True
2. Hostname contains .xyz.com

You can select any time frame that you want to while creating the search.

Once you have the search as you need it, you need to save this search for future use, by using the save
criteria button on the log activity page.

Ensure that you specify 'Real-time (streaming)' as the search time frame while saving the search,
otherwise, any time frame you include in your search will directly impact your identity exclusion
matching.

©
162014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

After the search has been saved you can then run the script which will exclude the identity from being added to the
asset profiler.

# /opt/qradar/bin/applyIdentityExcludeParams.sh "Unwanted Hostnames"

Search 'Unwanted Hostnames' was successfully inserted as identity exclusion.

Finally you'll need to clean out the old assets so that Qradar can rebuild the Asset DB without including the assets
with the hostname .xyz.com. You can either delete all the assets individually or use the following script to clear out
the complete Asset Table:

# /opt/qradar/support/cleanAssetModel.sh
This script will remove all assets in your database, along
with all of their ports, vulnerabilities and attributes.
Do you wish to proceed?
1) Yes, remove all assets and restart the asset profiler
2) No, I want to abort NOW
#?

©
172014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Error Message:
Asset Persistence Queue Disk Full.

Explanation:
The Asset Profile Manager includes a process called asset persistence that allows QRadar to update the profile
information for assets, such as IP addresses, MAC addresses, or DNS names. As new asset data is available, asset
persistence collects asset data in data sets and queues the information to be processed to update the asset model. When
the persistence queue and the disk queue fills with pending asset changes, this notification is generated. Asset
persistence updates are blocked until disk space is available.

The notification is generated and new asset changes are blocked from updating,but the information is not dropped.
The system behaves as normal.

Resolution:
To resolve this issue, you can review the following option:
•If a disk full notification is triggered by each scan to alert you that the spillover disk space assigned to the asset
persistence queue is full, then you should consider a reduction in the size of your scan. A reduction in the size of your
scan can prevent the asset persistence queues from overflowing.

©
182014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Error Message:
Asset Update Resolver Queue Disk Full.

Explanation:
The Asset Profile Manager includes a process called asset resolver that allows QRadar to understand the incoming
raw scan data and normalize the scan information for QRadar. As new asset data is available, the asset resolver
processes the raw asset data in data sets and queues the information for the asset persistence process to update the
asset model. When the resolver queue and the disk queue fills with pending asset changes, this notification is
generated. The
system continually writes the data to disk to prevent any data loss. However, if the system has exhausted disk space,
then the notification indicates that the system has dropped scan data.

The notification is generated and new asset data is written to disk, until all disk space is consumed. If disk space is
unavailable, then the scan information is dropped. The system cannot handle incoming asset scan data until disk space
is Available.

Resolution:
Ensure that your QRadar system has free disk space.
If a disk full notification is triggered by each scan to alert you that the spillover disk space assigned to the asset
resolver queue is full, then you should consider a reduction in the size of your scan or decreasing the scan frequency.
A reduction in the scope or frequency of your scan can prevent asset resolver queues from overflowing.
©
192014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Error Message :
Asset Changes Aborted.

Explanation:
The Asset Profile Manager includes a process called asset persistence that allows QRadar to update the profile
information for assets, such as IP addresses, MAC addresses, or DNS names. As new asset data is available, asset
persistence collects asset data in data sets and queues the information to be processed to update the asset model. When
a user attempts to add a new asset or edit an asset,the data is placed in temporary storage and added to the end of the
change queue. If a large amount of data is in front of the user change, then the asset change can time out and the
temporary storage with the change is deleted. This notification indicates that the system has discarded an asset change
due to the size of pending asset updates present in the system. The notification detail outlines the asset and the
information that was discarded.

The notification is generated and a change made to an asset by a user is discarded due to the timeout threshold. The
system should behave normally,however, the system is attempting to process a large number of asset changes.

Resolution:
• Wait and attempt to add or edit the asset a second time.
• Stagger the start time for your vulnerability scans or reduce the size of your scans.
If this notification is reoccurring, then you should consider a reduction in the scan size or change in start time to
prevent a user change from timing out in the asset queue.
©
202014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Demo ! !

©
212014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Question and Answer ! !

©
222014 IBM Corporation © 2012 IBM Corporation