Run DNS forensics with QRadar's big data security extension
Combine QRadar, X-Force IP Reputation Feed, and InfoSphere BigInsights to deliver DNS-based forensics system
As organizations open up their networks to devices and increased social media access, traditional security defenses such as firewalls and antivirus software can't adequately protect an organization. According to a recent IBM X-Force Trend and Risk Report, social engineering attacks and mobile exploits have increased each year since 2011. Firewalls and traditional security products do little against advanced threats that use unreported techniques, or that have already invaded an organization.
In this video, I demonstrate how to make the QRadar SIEM tool work better at providing you tighter, more intelligent DNS and IP access security.
- The QRadar big data extension (an InfoSphere® BigInsights™ engine)
- The IBM Security X-Force IP Reputation Intelligence Feed
- A whois parsing service
How X-Force and QRadar work together
The IBM Security X-Force IP Reputation Intelligence Feed delivers insight into suspect entities on the Internet that is based on knowledge of more than 15 billion web pages and images. The X-Force IP Reputation Feed provides QRadar with a real-time list of potentially malicious IP addresses that include malware hosts, spam sources, among other threats.
The feed adds dynamic Internet threat data to the analytical capabilities of the QRadar Security Intelligence Platform, enriching QRadar's threat analysis capabilities with up-to-the-minute data. It:
- Automatically feeds X-Force data into QRadar.
- Provides vulnerability coverage across a wide range of use cases.
- Uses IBM X-Force's proven data collection efforts and extensive knowledge base.
Using QRadar's big data extension
In the video demo, I illustrate QRadar's big data extension by doing a little DNS forensics and show you how to get more information out of DNS BIND. (BIND is one of the most widely used pieces of DNS software on the Internet. Also known as named (name daemon), it is considered the de facto standard DNS server.
My goal is to take a list of all the domains visited by all employees and correlate it with the IBM Security X-Force IP Reputation Intelligence Feed and registrar information for each of those domains from whoisxmlapi.com. From this analysis, I show you how to produce three reference sets that you can feed into QRadar to create or modify existing rules.
Normal DNS BIND gathers about the same limited information as
ping. But if you do a
whois, you get a wealth of
- When registered and registration expiration
- Registrant name and address
- Admin name, admin address, and phone
This information can add to your security layer: Often attackers register a domain for starting an attack. If your security system can add the registration date to its assessment, it can flag recently registered domains as suspicious.
Other pieces of information also occur that can enhance your security efforts, such as:
- Valid registrant and admin names
- Valid registrant and admin addresses
- Valid postal code that is correct for the city/state
- Valid phone number and the area code for the calling area
And probably most importantly, does this pattern of names, addresses, and phone numbers correlate with previously known risky domains.
In the demo, I show you how to take all the raw logs that my users pass through when they go on the Internet and have QRadar process them. With the QRadar custom properties standard procedure, I extract the massive list of all the domains that were accessed.
The Whois API Hosted Webservice returns well-parsed whois fields to your application in formats like XML and JSON per http request without query limits. The service can:
- Automatically follow the whois registry referral chains until it finds the correct registrars for the most complete data.
- Parse a variety of free-form whois data into well-structured fields (in XML and JSON) that your application can read.
- Parse out the name, organization, street, city, state/province, postal code, phone number, and fax from a free-form human-written contact address.
- Work over basic HTTP so you don't run into problems that are related to firewalls or accessing Whois servers on port 43.
- Return an indication of whether a domain is available.
- Return registry dates in their original format and in a normalized format.
Next, I take the resulting data and combine it with the IBM Security X-Force IP Reputation Intelligence Feed. Every eight hours, I process this data into three different reference sets:
- Risky users
- Risky domains
- Risky IPs
Watch the video to see the process in action and the results.
- See these resources for the topics in
- Visit this site for more on IBM X-Force solutions.
- Learn how to use dynamic X-Force intelligence with QRadar to detect Internet threats.
- This data sheet explains how to use the IBM Security X-Force Threat Intelligence feed.
- Join the author to explore more deeply on the combination of QRadar and big data in this video, 18:23.
- Discover the many ways that the IBM QRadar Security Intelligence Platform can help you detect and defend against network security threats.
- Learn how InfoSphere BigInsights makes managing large sets of disparate data more automated.
- To dig deeper into using big data to
enhance security intelligence, you might also be interested in these
- IBM's strategy on using big data to enhance security intelligence.
- Tools that apply advanced analytics and automation to massive amounts of data, events, and network flows enhance security intelligence.
- White paper on how to extend your QRadar SIEM/big data/security intelligence solution to incorporate InfoSphere BigInsights.
- Explore developerWorks IT security from a different perspective: Look at the monthly Security on developerWorks newsletter.