An architectural view of QRadar Vulnerability Manager
Adding enhanced scanning and analysis capabilities to QRadar SIEM
Three current trends can seriously compromise an IT system's ability to continuously monitor security:
- The nature of the advanced persistent threat: Vulnerabilities are increasing in both volume and severity, and attackers are also learning how to attack faster.
- Rapid evolution of IT infrastructures: The increasing speed and complexity of IT systems, plus the adoption of new technologies such as cloud, mobile, and social, are making risk discovery a tougher job.
- The realization that requirements compliance does not provide enough information to make a coherent decision on the risks your IT environment may be facing.
Figure 1 demonstrates the increasing threat to IT systems—in 2012 alone.
Figure 1. 2012 sampling of security incidents by attack type, time, and relative impact
For organizations seeking to optimize vulnerability assessment, better protect sensitive information assets, and to overcome the limitations to comprehensive security caused by these trends, IBM Security QRadar Vulnerability Manager uses security intelligence to deliver actionable and timely insight into system and network vulnerabilities. QRadar Vulnerability Manager does this by adding the two following capabilities to IBM Security QRadar SIEM:
- Scan management, which includes configuring and scheduling system scans and then arranging the results
- Vulnerabilities management, which includes arranging how vulnerabilities are presented (by network, asset, vulnerability type, severity, status) for remediation and categorization processes
QRadar Vulnerability Manager correlates vulnerability scan data with network flow and log events from other IBM Security QRadar offerings. This, in turn, helps identify and prioritize security exposures for remediation. The main goal is to reduce overwhelming lists of issues to be addressed by security teams; advanced filtering and quick search capabilities help to exclude vulnerabilities:
- Hidden behind firewalls
- Blocked by IPS systems
- Already scheduled for software patching
- Associated with applications that are present but inactive
Although QRadar Vulnerability Manager is an optimal solution for the same industries as the QRadar SIEM technologies (financial services, government, energy and utilities, and healthcare), most enterprise IT systems with external exposure would benefit from its capabilities.
Before looking deeper into QRadar Vulnerability Manager, let's examine some common enterprise vulnerability management requirements.
Vulnerability management requirements
To create an effective enterprise vulnerability management solution, make sure to look for these capabilities and features:
- It should integrate seamlessly with your existing security intelligence.
- It should be able to import vulnerability assessment and scan results sources for centralized reporting, dash boarding, and analysis.
- It should be able to transparently use all existing points of presence for scanning purposes.
- It should maintain a single, current, unified asset database that provides a complete view of an asset based on data collected from logs, passive scanning, active scanning, and integrations with third-party inventory and governance, risk management, and compliance systems.
- It should integrate with existing security processes such as asset owners, network hierarchy definitions, users, and roles.
- It can trigger asset scans as new assets are detected on the network or in response to suspicious behavior (this keeps profile information as current as possible).
- It should accurately identify and profile such assets as device type, install OS, patch levels, services that are running, installed applications, application activity (including downloads), Internet usage and network behavior, and users that have logged on to the asset.
- It should be updated daily with new vulnerability information.
- It should be CVE compliant (Common Vulnerabilities and Exposures) and provide vulnerability risk scoring based on accepted industry standards (CVE and CVSS, Common Vulnerability Scoring System).
- It can orchestrate a high volume of concurrent assessments without disturbing normal network operations.
- It should be able to scan both external facing and internal IP ranges (in zero privileged or credentialed mode), perform privileged scanning of network devices, and scan virtual hosts.
- It should provide a flexible and automated remediation assignment capability.
- It should provide easy access through a web-based interface.
- It uses a cascade permissions structure (each user has personalized information based on their role and the assets they are responsible for managing) to deliver role-based reporting and operational functionality.
- It makes it easy for multiple users to scan and rescan for more effective remediation.
- It makes it easy to remove acceptable risks and false positives from reporting and workflow based on customer defined business rules.
- It can capture an audit trail associated with any activity (discovery, assignments, notes, exceptions, remediation, and so on).
- It can use passive correlation to generate alerts and reports on newly emerging vulnerabilities between scans.
QRadar Vulnerability Manager architecture
QRadar Vulnerability Manager is a fully integrated member of the IBM QRadar Security Intelligence Platform (Figure 2). It leverages existing QRadar appliances to conduct dynamic, event-driven asset searches as well as regularly scheduled scans, enabling a real-time and constantly updated view of your organization's security posture. QRadar Vulnerability Manager derives a rich security context from such information as network flow data, asset configurations, and threat intelligence sources.
Figure 2. Where QVM fits into the QRadar lineup
Adding QRadar Vulnerability Manager to the QRadar lineup provides these additional features:
- Two new deployable components:
- QVM Console, which delivers scan definitions, a scan scheduling engine, and organizes scan results
- QVM Scanner, which performs scan tasks as part of an overall scan
- Hosted Scanner, a component hosted by IBM that lets you scan a customer's DMZ from the Internet
QVM already exists within most QRadar SIEM environments as standard code that can be quickly activated using a licensing key. And once installed, it just shows up as a new tab on your IBM Security QRadar SIEM console window.
The capabilities QRadar Vulnerability Manager adds are:
- An embedded, well-proven, scalable PCI-certified scanner
- The ability to detect 70,000+ vulnerabilities
- Tracking through the National Vulnerability Database (CVE)
- An integrated external scanner
- A complete vulnerability view supporting third-party vulnerability system data feeds
- Support for the exception and remediation processes of virtual machines with seamlessly integrated reporting and dash boarding
These features and capabilities add the following attributes to your security system:
- Proactivity: Helps prevent damaging attacks by discovering and highlighting high-risk vulnerabilities
- Actionability: Helps prioritize remediation and mitigation activities by providing advanced filtering and quick search capabilities leveraging network context
- Awareness: Quickly conducts network scans either periodically or dynamically whenever new devices appear or in response to suspicious behaviors, helping maintain an accurate and updated view of all network assets
The major attribute of QRadar Vulnerability Manager is that it allows you to combine automated vulnerability scanning with a superior understanding of device configurations, network topology, and traffic patterns. This makes it much easier to enable proactive protective measures. It also means that QVM's real value isn't in the fact that it performs network scans, but that it helps you intelligently interpret the results.
QRadar Vulnerability Manager works by categorizing your vulnerabilities into workable groups and functions:
- Not Active: By leveraging QFlow Collector, QVM can tell if the vulnerable application is active. QFlow Collector provides Layer 7 application visibility and flow analysis to help you understand and respond to activities throughout your network.
- Patched: By leveraging Endpoint Manager, QVM understands what vulnerabilities will be patched. IBM Endpoint Manager manages and secures mobile devices, laptops, desktops, and servers.
- Blocked: By leveraging QRadar Risk Manager, QVM can understand what vulnerabilities are blocked by firewalls and IPSs. QRadar Risk Manager monitors network topology, switch, router, firewall, and Intrusion Prevention System (IPS) configurations to reduce risk and increase compliance.
- Critical: By leveraging its vulnerability knowledge base, remediation flow, and QRM policies, QVM can identify business critical vulnerabilities.
- At Risk: By utilizing X-Force threat and SIEM security incident data, coupled with QFlow network traffic visibility, QVM can tell if vulnerable assets are communicating with potential threats.
- Exploited: By leveraging SIEM correlation and IPS data, QVM can reveal what vulnerabilities have been exploited.
QRadar Vulnerability Manager meets the challenges of the three security areas that are currently trending—advanced persistent threats, increasing IT security monitoring complexity, and the limits of compliance as a security tool.
Defense for advanced persistent threats
These stealthy attacks continue until the perpetrators succeed by exploiting all available opportunities. Organizations can improve defenses by patching, blocking, or monitoring as many high-impact vulnerabilities as they can. QRadar Vulnerability Manager meets this challenge by:
- Leveraging the existing appliance infrastructure and security intelligence data to seamlessly conduct automated scans for network vulnerabilities.
- Sensing when new assets are added to the network and perform immediate scans to keep the asset database and network topology current.
- Preserving security team bandwidth by eliminating false positives and reducing unnecessary activities by correlating results with IPS/IPD blocking capabilities.
Fight complexity with a single point of view
Most IT security systems have multiple sources of vulnerability assessment data coming from different scanning solutions, but not a coherent method to view the total network security picture. QVM helps organizations reduce this complex dance of data and makes faster and better decisions by:
- Using a familiar interface to review log events, network flows, offenses, risks, and vulnerabilities
- Collecting all available scan data within a dedicated and customizable dashboard view
- Making it easier to coordinate patching, virtual patching, and blocking activities
Going beyond compliance mandates
Industry data and system compliance mandates prod organizations to meet the security requirements of sensitive IT assets in those industries by instituting policies and programs. That is a good thing. QVM helps organizations meet their compliance mandates by:
- Conducting regular network scans, maintaining a full history and audit trail of completed scans
- Categorizing each discovered vulnerability with an appropriate severity rating and vulnerability score
- Maintaining a history of vulnerability posture on a daily, weekly, and monthly basis
- Enabling scanning of assets, both internally and externally
- Creating tickets (set severity, due dates, comments) to manage remediation activities
- Supporting an exception process with a full audit trail
But it can also make a security officer become complacent. QVM adds a significant amount of automation to the scanning and scanning-analysis to make it easier and cost-effective for the security professional to explore even larger datasets than compliance requires—and, consequently, use that analysis to make better decisions. QVM lets clients:
- Orchestrate a high volume of concurrent assessments without disturbing normal network operations while allowing multiple stakeholders to scan and rescan as needed for remediation verification
- Summarize vulnerability status by day, week, and month, enabling organizations to effectively provide long-term reports and trend graphs while providing efficient day-to-day operational views
- Capture an audit trail associated with all activities (discovery, assignments, notes, exceptions, and remediation) represented by disparate data types
A key security component for organizations is the ability to optimize vulnerability assessment, better protect sensitive information assets, and to overcome the limitations to comprehensive security caused by the trends of advanced persistent threats, the evolution of IT infrastructures, and compliance complacency. IBM Security QRadar Vulnerability Manager uses security intelligence to deliver actionable and timely insight into system and network vulnerabilities by adding scan management and scan analysis enhancements to IBM Security QRadar SIEM systems. We hope this introductory look at the QVM and QRadar SIEM's functional architecture will prompt further exploration into the topic of security vulnerability scanning and the technologies involved.
- Explore the topics and technologies in this article:
- Explore the IBM Security Framework for cutting-edge knowledge on IT security issues.