Sirius enhances IBM QRadar with Custom Scripting for Backup and Disaster Recovery

By | 5 minute read | September 22, 2020

Disaster recovery is a complex task that many companies still fail to focus on. It’s only when an emergency strikes that they realize the shortcomings of their existing backup, restoration and failover solutions. By that time, it’s too late and the results can be catastrophic. What could have been a fast and simple recovery process can expand to days or weeks, costing millions of dollars in downtime.

One of the biggest problems in creating an effective disaster recovery solution is backing up data from specific products. Each application has its own unique requirements and idiosyncrasies; unless administrators pay attention, it’s easy for that applications’ data to fall through the cracks.

Sirius Computer Solutions, Inc. won the 2020 IBM Beacon Award for Outstanding Security Solution by applying its security and disaster recovery expertise to a crucial security tool: IBM QRadar. Its Custom Scripting for QRadar Backup and Disaster Recovery solution has helped several companies protect their critical cybersecurity data, saving them valuable backup and restoration time and protecting them from regulatory costs.

Enhancing QRadar
IBM QRadar is a venerable security incident and event management (SIEM) tool. It helps thousands of companies around the world log incidents affecting their infrastructure so they can gain new insights into emerging security threats. As with all best-in-class tools, though, it occasionally omits some functionality that specific clients require.

One such feature involves remote backup. QRadar offers excellent backup facilities for its logs and configuration files, but only to a local file system. Each backup file contains 24 hours of data, and it backs up seven days of files by default.

Those backup features don’t meet all clients’ needs, especially when it comes to remote backups. Sirius worked with two companies, one in the energy sector and another in finance, to enhance QRadar’s backup capabilities using its own custom scripting capabilities.

“Those are very regulated industries with strict requirements that they have to meet,” explains Mike Jiencke, senior solutions architect for Security at Sirius. “They must have the ability to provide archival information.”

The energy provider managed two data centers in different cities. It had been using a one-line script that would copy the local backup files from one data center to the other.

Because the client wanted one data center to serve as a backup site for the other while also functioning as a “hot” site, they couldn’t simply back up one site’s QRadar files to the other because that would overwrite the second site’s QRadar configuration files, which are unique to its network. That would create technical and compliance problems.

Scripts to the rescue
The energy provider needed a custom solution, so it called in Sirius for help. Sirius consultants created two classes of script. The first used QRadar’s Content to copy the necessary files into a staging directory and then to the disaster recovery site. The other script filled in a crucial missing part of the puzzle that the Content Manager didn’t cover, which was migrating the separate QRadar network hierarchy at the disaster recovery site via a custom Python script.

While creating that solution, Sirius also engineered a solution to ensure that required log and flow data are available at both locations via forwarding and aggregation methods.

The overall solution cut the company’s SIEM management time in half while keeping a full record of its rules, reports and custom properties. It provided total control and monitoring capability for its SIEM implementation across both sites.

Creating a reliable data backup solution
The financial client had a problem similar to the energy company’s in that it needed to maintain copies of operational data including QRadar files between different backup sites. However, with terabytes of data spread around those sites, it needed a solution that would allow it to back up data from a specific point in time to remote storage.

The client had worked with Sirius for over a decade, so felt confident calling upon Sirius’ consultants to audit its six-year-old QRadar implementation. The audit found that the client didn’t have those backup capabilities in place. Instead, an array of QRadar appliances scattered across its various data centers were backing up data locally. If the company ever needed to recover its data, it would need to work around the clock for at least a week to restore all of the data necessary for it to resume operations.

Sirius worked quickly to rectify the situation. It implemented remote backup scripts on each of the company’s QRadar appliances, configuring them so they would back up data to a central offsite location.

Jiencke also made the scripts easy to administer, programming them to inspect their local appliance’s file system and to see what data requires backup each time they are restarted. The scripts then automatically back up any outstanding data to bring them back into sync. This lets the financial company’s IT team take a hands-off approach to remote backups on the its QRadar appliances, monitoring only the system’s success and failure notifications, which minimizes backup errors while freeing administrators to work on other projects.

Sirius also wrote the scripts to be modular and simple to implement. This allows the client to apply the scripts to new QRadar appliances in the future, keeping it protected as its infrastructure grows.

Thanks to the new scripting solution, the financial company can now restore its QRadar data en masse, helping accelerate recovery times. It only retains the data necessary to meet recovery point objectives, saving storage space and complexity.

Sirius’ long relationship with IBM has been instrumental in helping the solutions integrator enhance IBM products with advanced custom services and solutions, explains Jiencke. “We’ve been active on IBM councils and have been deeply involved from a channel perspective, providing feedback to IBM on an ongoing basis for decades now,” he says.

Sirius’ Beacon Award illustrates perfectly the value of human capital. Jiencke is responsible for writing scripts like these, which will differ between clients to meet a range of unique needs. Along with the ease of management and custom functionality that clients need, it also offers IT administrators and compliance managers alike a powerful benefit: peace of mind.

Learn more about how other Beacon Award winners are changing the world through their solutions.