As organizations open up their networks to devices and increased social media access, traditional security defenses such as firewalls and antivirus software can't adequately protect an organization. According to a recent IBM X-Force Trend and Risk Report, social engineering attacks and mobile exploits have increased each year since 2011. Firewalls and traditional security products do little against advanced threats that use unreported techniques, or that have already invaded an organization.
In this video, I demonstrate how to make the QRadar SIEM tool work better at providing you tighter, more intelligent DNS and IP access security.
- The QRadar big data extension (an InfoSphere® BigInsights™ engine)
- The IBM Security X-Force IP Reputation Intelligence Feed
- A whois parsing service
How X-Force and QRadar work together
The IBM Security X-Force IP Reputation Intelligence Feed delivers insight into suspect entities on the Internet that is based on knowledge of more than 15 billion web pages and images. The X-Force IP Reputation Feed provides QRadar with a real-time list of potentially malicious IP addresses that include malware hosts, spam sources, among other threats.
The feed adds dynamic Internet threat data to the analytical capabilities of the QRadar Security Intelligence Platform, enriching QRadar's threat analysis capabilities with up-to-the-minute data. It:
- Automatically feeds X-Force data into QRadar.
- Provides vulnerability coverage across a wide range of use cases.
- Uses IBM X-Force's proven data collection efforts and extensive knowledge base.
Using QRadar's big data extension
In the video demo, I illustrate QRadar's big data extension by doing a little DNS forensics and show you how to get more information out of DNS BIND. (BIND is one of the most widely used pieces of DNS software on the Internet. Also known as named (name daemon), it is considered the de facto standard DNS server.
My goal is to take a list of all the domains visited by all employees and correlate it with the IBM Security X-Force IP Reputation Intelligence Feed and registrar information for each of those domains from whoisxmlapi.com. From this analysis, I show you how to produce three reference sets that you can feed into QRadar to create or modify existing rules.
Normal DNS BIND gathers about the same limited information as
ping. But if you do a
whois, you get a wealth of
- When registered and registration expiration
- Registrant name and address
- Admin name, admin address, and phone
This information can add to your security layer: Often attackers register a domain for starting an attack. If your security system can add the registration date to its assessment, it can flag recently registered domains as suspicious.
Other pieces of information also occur that can enhance your security efforts, such as:
- Valid registrant and admin names
- Valid registrant and admin addresses
- Valid postal code that is correct for the city/state
- Valid phone number and the area code for the calling area
And probably most importantly, does this pattern of names, addresses, and phone numbers correlate with previously known risky domains.
In the demo, I show you how to take all the raw logs that my users pass through when they go on the Internet and have QRadar process them. With the QRadar custom properties standard procedure, I extract the massive list of all the domains that were accessed.
The Whois API Hosted Webservice returns well-parsed whois fields to your application in formats like XML and JSON per http request without query limits. The service can:
- Automatically follow the whois registry referral chains until it finds the correct registrars for the most complete data.
- Parse a variety of free-form whois data into well-structured fields (in XML and JSON) that your application can read.
- Parse out the name, organization, street, city, state/province, postal code, phone number, and fax from a free-form human-written contact address.
- Work over basic HTTP so you don't run into problems that are related to firewalls or accessing Whois servers on port 43.
- Return an indication of whether a domain is available.
- Return registry dates in their original format and in a normalized format.
Next, I take the resulting data and combine it with the IBM Security X-Force IP Reputation Intelligence Feed. Every eight hours, I process this data into three different reference sets:
- Risky users
- Risky domains
- Risky IPs
Watch the video to see the process in action and the results.
- See these resources for the topics in
- Visit this site for more on IBM X-Force solutions.
- Learn how to use dynamic X-Force intelligence with QRadar to detect Internet threats.
- This data sheet explains how to use the IBM Security X-Force Threat Intelligence feed.
- Join the author to explore more deeply on the combination of QRadar and big data in this video, 18:23.
- Discover the many ways that the IBM QRadar Security Intelligence Platform can help you detect and defend against network security threats.
- Learn how InfoSphere BigInsights makes managing large sets of disparate data more automated.
- Read this IBM white paper provides an overview of how to extend security intelligence with big data solutions.
- To dig deeper into using big data to
enhance security intelligence, you might also be interested in these
- IBM's strategy on using big data to enhance security intelligence.
- Tools that apply advanced analytics and automation to massive amounts of data, events, and network flows enhance security intelligence.
- White paper on how to extend your QRadar SIEM/big data/security intelligence solution to incorporate InfoSphere BigInsights.
- Start your journey to implement IT security through pragmatic, intelligent, and risk-based practices at Security on developerWorks.
- Explore developerWorks IT security from a different perspective: Look at the weekly Security on developerWorks newsletter.
- Explore more tools and technologies for developers and architects that use big data at Big data on developerWorks; big data provides more information to make better decisions on security issues.
- Learn to improve outcomes and control risk with analytics. Learn more at Business analytics on developerWorks.
- Attend a free developerWorks Live! briefing to get up-to-speed quickly on IBM products and tools plus IT industry trends.
- Follow developerWorks on Twitter.
- Watch developerWorks on-demand demos that range from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.
- Get involved in the developerWorks community. Connect with other developerWorks users while you explore the developer-driven blogs, forums, groups, and wikis.