Translate

Search

IBM QRadar 2) Main Features

※ 한글로 보기

After Introduction, I will find about QRadar's main features and information.

This posting will be used for make you to know concept of features, for more detail function will be explained next time.

You can think QRadar is software that be installed on RHEL6.

To be exact, there are two type for QRadar, It are 'Appliance type' and 'Software type', But I will talk you QRadar is software for easy understanding.

Now, Latest version is 7.2, Build number 636622.

QRadar was main released 7.2 version recently.

There are many new features, but these feature will be posted next time because It's too long.

Okay.

Let's see QRadar's architecture before see main features.


It is based on RHEL6, most of law data is stored on Ariel database.

Processed data and Configurations are stored on PostgreSQL.

And Green boxes can be called core that collecting, processing, storing logs in QRadar.

All tasks are working on terminal and we can view this tasks also using SSL GUI Web Console, and we can work on Graphic interface.

Please ask to me if you want to know about this diagram.

I will post more about this information.

Now, We can see QRadar Web console.


As screenshot, there are many information immediately connect here.

It might show you rudeness, so I will explain you about each tabs.

Firstly, above feature is 'Dashboard'.

Based on collected logs, We can confirm 'what logs were collected more', 'how actions were detected', 'what kind of threats are exist in our infrastructure'.

There are 5 dashboard that be supplied from IBM, We can create new dashboard using widget that we want only.



Next tab is 'Offense' to be purpose to use QRadar.

It shows us threat after analyzing Event / Flow logs.

It reduces extravagance of man power because It is showing to us core information only in many of log data.

IBM X-Force research institute update rules that be able to analyze new threats, and user can makes rules also, rules feature is used widely.

But infrastructures of all company are not same, so rule cab makes incorrect information.

So we have to customize these.

Offense feature is so important.

QRadar is placed on top layer of security diagram as I told you before post.

In QRadar, Offense feature is point, it is meaning how many important QRadar.

If it is configured correctly, We can confirm threats and analyze threats with out monitoring in UTM / IPS / Viruswall / etc.

So, We can think about Offense feature is fist monitoring screen to view many threat, it tell users about threats, then users have to analyze related solution.

We need materials to make something.

To make integrated threat monitoring system, log / flow data are be material for making Offense.

● Log Activity - Event Log Data Viewer                     

● Network Activity - Flow Data Viewer                       


So, are used log / flow data for offense only?

Yes, You can think like that, but it is wrong.

Those can be used other functions.

Purpose of original plan to collect logs is to make offense, but while collecting logs, these can be used other ways.

We can abstract meaningful data.

For example, We can make below charts.

● Most used Network Application                    
● Time series Chart for viewing traffic usage              


You can see these easy as kissing my thumb, to use this feature can show us unauthorized web sites, traffic size when not working times.

I gave you simple example, but we can make use this feature to get more meaningful data.

And there is 'Assets' tab.




We can know after see name, this feature is to manage assets in our infrastructure.

But this feature is not good, Please don't expect, I guess It can't make better effect.

Because It find IP list in the infrastructure but It can't know about detail OS, MAC Addresses, Author name. So You have to fill asset format passive typing, It is never useful.

Maybe most of company has servers, networks, solutions too much.

Passive registering on the Asset is not useful, There are many of better solutions.

And There is 'Server Discovery' feature in Assets.

It is working to find frequently accessed port, QRadar guess what kind of server.

So you have to enable Flow feature, If server don't use standard port you have to customize port numbers.

Finally, We can use VA.

It scan how many vulnerability is exist on infrastructure.

Before release 7.2 version, QRadar must have 3rd party scanner program.

When 3rd party scanner program find vulnerability, QRadar use this result.

  Open source 3rd part scanner : NMap, Nessus

In now days, IBM released scanner for using QRadar.

But I can't make sure is it working better then exist scanners.

If scanner find vulnerability, QRadar manage to solve this vulnerability with life-cycle.

Next is 'Reports'


I told you log and flow data can be used to utilize for you.

QRadar collect log and flow, process data, give us useful data.

Report is one of useful data on QRadar.

Report can be generated as schedules, We can make use this result for regular reporting.

Finally, We will investigate 'Aadmin' tab


In here, there are many buttons to configure settings related user, log, system.

Finding vulnerability, defining dangerous web site, configuring life-cycle of data, It's are in here.

We investigated main feature of QRadar.

I will post detail ability about QRadar.

See you.


Related Links

IBM QRadar 1) Introduction

0 comments:

Post a Comment