Vulnerability Management and Asset Profiling in IBM QRadar SIEM
Vulnerability Management and Asset Profiling in IBM QRadar SIEM
- Boudhayan Chakrabarty.
- Praphulla S. Mujumdar.
9/24/14
©
1 2014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Agenda ::
1. Vulnerability Management
2. Vulnerability Management Challenges
3. Types of Vulnerability Scanning
4. Different type of scanners supported ( Active Scanner )
5. Scheduling a Vulnerability Scan
6. Viewing a status of Vulnerability Scan
7. Asset Profiles
8. Sources updating Asset Database
9. Troubleshooting Asset Profiles
10. Demo
11. Question and Answer
12. Thanks !!
©
2 2014 IBM Corporation
2 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Vulnerability Management ::
***It is MUST to scan network infrastructure, servers and end points for bad configurations,
weak settings, un-patched or out of date applications and other key security weaknesses.
©
3 2014 IBM Corporation
3 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Many vulnerabilities mitigated from serious threat sources by firewall and IPS
devices
End point management solutions automatically patch and remediate vulnerabilities
End point firewalls prevent external access to many vulnerable applications
Vulnerable applications not in use or even active
No view of what vulnerabilities are potentially being exploited
Additional screens and reports to spend time in analyzing
Additional security infrastructure to deploy and manage
Multiple scanning points often required
Multiple vulnerability management technologies required with no single console
Additional integration effort
©
4 2014 IBM Corporation
4 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Active Scanner :
For Vulnerability Assessment ( VA) and maintaining asset profiles, QRadar SIEM integrates
with many active scanners. You can schedule Nessus, Nmap and IBM Security QRadar
Vulnerability Manager scanner directly in QRadar SIEM. For other scanners, you can schedule
the collection of scan results in QRadar SIEM.
Active scanners send transmissions to the network's nodes. Depending on the responses
received we need to evaluate whether a specific node represents a weak point within the
network.
A network administrator can also use an active scanner to simulate an attack on the network,
uncovering weaknesses a potential hacker would spot, or examine a node following an attack to
determine how a hacker breached security.
Active scanners can take action to autonomously resolve security issues, such as blocking a
potentially dangerous IP address.
©
5 2014 IBM Corporation
5 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Provide :
List of hosts with risks and potential vulnerabilities.
IP and MAC address.
Open ports in use.
Services and version.
Operating system.
Pros:
Detailed host information.
Policy and compliance information.
**We Need Both Active and Passive Scanners as they both Complement each other.
©
6 2014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Passive Scanner :
Passive scanners identify the active operating systems, applications and ports throughout a
network, monitoring activity to determine the network's vulnerabilities. However, while passive
scanners can provide information about weaknesses, they can't take action to resolve security
problems.
This Passive scan present in QRadar can check the current software and patch versions on
networked devices, indicating which devices are using software that presents a potential gateway
for hackers or trojan attacks. It references this information against public databases containing lists
of current patches.
QRadar SIEM uses external references from the open source Vulnerability Database ( OSVDB)
and National Vulnerability Database ( NVDB) to identify found vulnerabilitys. Each vulnerability
is assigned a unique reference identifier, OSVDB ID. In addition,each vulnerability can be
identified by external data references, such as a common vulnerability and Exposures ( CVE ) ID.
©
7 2014 IBM Corporation
7 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Provide :
IP addresses in use.
Open ports in use.
Pros :
Real-time asset profile updates.
Firewalls have no impact.
End system cannot hide.
Policy and compliance information.
**We Need Both Active and Passive Scanners as they both Complement each other.
©
8 2014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
©
9 2014 IBM Corporation
9 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Scan schedules can also define CIDR ranges or subnets that are included in the data import
when the vulnerability data import occurs.
Scan schedules are created for each scanner product in your network and are used to retrieve
vulnerability data. There is no limit to the number of scan schedules you can create.
It is often helpful to create multiple scans in your network for vulnerabilities in your
network. Large vulnerability imports can take a long time to complete and are often very
system resource intensive.
A scan cannot be scheduled until after the scanner has been added.
©
102014 IBM Corporation
10 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
©
112014 IBM Corporation
11 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
The Scan Schedule window provides administrators a status view for when each scanner is
scheduled to collect vulnerability assessment data for asset in the Network.
The name of each scan is displayed, along with the CIDR range, port or port range, priority,
status, and next run time.
The status column for each scanner provides a status message about each successful
vulnerability import or failure.
©
122014 IBM Corporation
12 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Asset Profiles ::
QRadar SIEM maintains asset profiles for system in the network. The profiles track host details, such as these examples :
1) IP address
2) Services listening on open ports
3) Vulnerabilities
In addition to technical asset information, asset profiles track user login to the assets if this information is provided to
QRadar SIEM. Qradar SIEM automatically creates and updates asset profiles for system found in :
DHCP, DNS,VPN, proxy, firewall NAT and wireless AP logs
Passively gathered bidirectional flow
Vulnerability data provided by active scanners
You can create asset profiles manually in the user interface or by import.
QRadar UI >> Assets >> Add Asset Profile
Asset profile information is used for correlation purposes. For example, if an attacker attempts to compromise a certain
service running on a specific asset, QRadar SIEM can determine whether the asset is vulnerable to this attack by
correlating the attack to the asset profile.
©
132014 IBM Corporation
13 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
1. Active Scans : QRadar Vulnerability Manager scanner, Nessue,Nmap, Qualys and others.
2. Passive Scans : Flows from QFlow, or other flow sources in accounting technologies such as
IPFIX/NetFlow, sFlow.
©
142014 IBM Corporation
14 04/03/2014 © 2012 IBM Corporation
IBM Security Systems
Whenever QRadar gets any identity information for any host, irrespective of whether the host is important to you or
not, it will generate an Asset entry. We have seen cases, wherein assets which are not important to you but QRadar has
received identity information about those assets, asset entries for those hosts have been created.
If you want QRadar not to create any entries for such assets (which are not important to you), you can use an Exclude
Identity Parameter for this so that in future, QRadar excludes these assets from Asset Profile.
For example, lets say, the assets that are important to you, their entries have .in.ibm.com as their name. However, you
are also seeing a few assets with the name similar to .xyz.com being created under the Asset Table. They have been
created by QRadar because QRadar had received identity information for those assets. For this, first you need to create
a search as shown in the next slide
©
152014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
You can select any time frame that you want to while creating the search.
Once you have the search as you need it, you need to save this search for future use, by using the save
criteria button on the log activity page.
Ensure that you specify 'Real-time (streaming)' as the search time frame while saving the search,
otherwise, any time frame you include in your search will directly impact your identity exclusion
matching.
©
162014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
After the search has been saved you can then run the script which will exclude the identity from being added to the
asset profiler.
Finally you'll need to clean out the old assets so that Qradar can rebuild the Asset DB without including the assets
with the hostname .xyz.com. You can either delete all the assets individually or use the following script to clear out
the complete Asset Table:
# /opt/qradar/support/cleanAssetModel.sh
This script will remove all assets in your database, along
with all of their ports, vulnerabilities and attributes.
Do you wish to proceed?
1) Yes, remove all assets and restart the asset profiler
2) No, I want to abort NOW
#?
©
172014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Error Message:
Asset Persistence Queue Disk Full.
Explanation:
The Asset Profile Manager includes a process called asset persistence that allows QRadar to update the profile
information for assets, such as IP addresses, MAC addresses, or DNS names. As new asset data is available, asset
persistence collects asset data in data sets and queues the information to be processed to update the asset model. When
the persistence queue and the disk queue fills with pending asset changes, this notification is generated. Asset
persistence updates are blocked until disk space is available.
The notification is generated and new asset changes are blocked from updating,but the information is not dropped.
The system behaves as normal.
Resolution:
To resolve this issue, you can review the following option:
•If a disk full notification is triggered by each scan to alert you that the spillover disk space assigned to the asset
persistence queue is full, then you should consider a reduction in the size of your scan. A reduction in the size of your
scan can prevent the asset persistence queues from overflowing.
©
182014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Error Message:
Asset Update Resolver Queue Disk Full.
Explanation:
The Asset Profile Manager includes a process called asset resolver that allows QRadar to understand the incoming
raw scan data and normalize the scan information for QRadar. As new asset data is available, the asset resolver
processes the raw asset data in data sets and queues the information for the asset persistence process to update the
asset model. When the resolver queue and the disk queue fills with pending asset changes, this notification is
generated. The
system continually writes the data to disk to prevent any data loss. However, if the system has exhausted disk space,
then the notification indicates that the system has dropped scan data.
The notification is generated and new asset data is written to disk, until all disk space is consumed. If disk space is
unavailable, then the scan information is dropped. The system cannot handle incoming asset scan data until disk space
is Available.
Resolution:
Ensure that your QRadar system has free disk space.
If a disk full notification is triggered by each scan to alert you that the spillover disk space assigned to the asset
resolver queue is full, then you should consider a reduction in the size of your scan or decreasing the scan frequency.
A reduction in the scope or frequency of your scan can prevent asset resolver queues from overflowing.
©
192014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Error Message :
Asset Changes Aborted.
Explanation:
The Asset Profile Manager includes a process called asset persistence that allows QRadar to update the profile
information for assets, such as IP addresses, MAC addresses, or DNS names. As new asset data is available, asset
persistence collects asset data in data sets and queues the information to be processed to update the asset model. When
a user attempts to add a new asset or edit an asset,the data is placed in temporary storage and added to the end of the
change queue. If a large amount of data is in front of the user change, then the asset change can time out and the
temporary storage with the change is deleted. This notification indicates that the system has discarded an asset change
due to the size of pending asset updates present in the system. The notification detail outlines the asset and the
information that was discarded.
The notification is generated and a change made to an asset by a user is discarded due to the timeout threshold. The
system should behave normally,however, the system is attempting to process a large number of asset changes.
Resolution:
• Wait and attempt to add or edit the asset a second time.
• Stagger the start time for your vulnerability scans or reduce the size of your scans.
If this notification is reoccurring, then you should consider a reduction in the scan size or change in start time to
prevent a user change from timing out in the asset queue.
©
202014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
Demo ! !
©
212014 IBM Corporation © 2012 IBM Corporation
IBM Security Systems
©
222014 IBM Corporation © 2012 IBM Corporation