Detecting security risks with IBM Security QRadar Vulnerability Manager
Real-time InfoSec monitoring and intervention
IBM® Security QRadar® Vulnerability Manager delivers on its promise to detect real-time security risks in high-tech environments. From cybersecurity to data protection, Security QRadar Vulnerability Manager surpasses expectations, with enterprise security solutions that provide unified logging, risk management, vulnerability management, and network activity monitoring in an all-in-one solution. This article examines the use of those security risk solutions in a real-world example and highlights the meticulous features that provide the product's robustness in high-volume, big data environments.
Information security (InfoSec) is a prominent market in IT, helping to prevent unauthorized use and access to proprietary or classified information. The risks of data loss, revealing personally identifiable information, compromising trade secrets, or even destroying software programs threaten the stability of business infrastructures and profits.
The IBM QRadar Security Intelligence Platform (see Figure 1) is a solution for detecting the risks that hinder business operations daily. The products provide InfoSec intelligence by searching for and discovering known vulnerabilities to data and information safety. Various technologies use the precept of continual search and discovery, although many of the products available don't offer vulnerability management in real time. QRadar Security Vulnerability Manager, however, does just that. Moreover, the QRadar Security framework of Security Information and Event Management (SIEM) allows QRadar Security Vulnerability Manager to scan, log, track, and detect network behavioral anomalies with finesse, using a packet-capturing and incident forensics approach. This functionality is underscored by the platform's comprehensive products:
- IBM Security QRadar Log Manager
- IBM Security QRadar Risk Manager
- Security QRadar Vulnerability Manager
- IBM Security QRadar Network Anomaly Detection
Figure 1. The IBM QRadar Security Intelligence Platform
In my real-world example, the Corrington Research Company (Corrington) produces and sells documented research findings and provides a searchable library of its products to subscribers. Because of the exponential growth of its data, the impact of regulatory changes on its products and operations, and the advancement of cybersecurity threats, finding a highly effective and efficient security intelligence solution became Corrington's number one priority. To meet its needs, the solution would have to provide visibility into the possible internal and external risks as well as a means of mitigating those risks without interrupting operations.
So, when you think about detecting security risks, you think about being privy to a bevy of dynamic security information, including situations that serve as easy targets for malicious hackers. For example, botnets are a fast-growing threat to cybersecurity. The term botnet refers to robotic takeovers of computers and networks using unauthorized access. When a malicious hacker has decrypted a login ID and password, the hacking scripts (botnets) can control a business's computer system and launch destructive programs, code, and scripts to eventually bring system operations to a halt. Therefore, Corrington's best defense against InfoSec risks is to implement a vulnerability management software solution. This solution must provide a self-defense mechanism to the entire network for the ultimate in security intelligence, the benefits of which include the ability to:
- Continually scan and detect every network device (computers, printers, routers, and so on) for every known security risk
- Auto-correct or isolate identified security risks wherever possible
- Use real-time diagnostics to track network changes
Corrington agreed to discontinue using a stand-alone server as its central point of security monitoring and implement a vulnerability management software solution. To begin the migration to such a platform, Corrington first moved to a cloud computing environment. In terms of cloud computing, risk detection is accentuated by high-performance vulnerability management in the form of the Security as a Service (SECaaS) model, which removes the common bottlenecks typically associated with continual scanning and logging across large networks. Instead of using a stand-alone computer to scan and monitor network devices in various departments, offices, and campuses, the SECaaS model performs multinetwork vulnerability scanning and risk detection from a central, cloud-based location. This means that cloud-based SECaaS can efficiently capture packets and perform thousands of packet analyses per second, capture tens of thousands of packets per second, and draw from an InfoSec platform simultaneously to accomplish comprehensive cybersecurity operations.
In selecting the vulnerability management software solution, Corrington produced an exhaustive list of must-haves that the software solution should provide. But Corrington's primary concern was scalability. Would the vulnerability management software solution be able to scale in line with the cloud-based computing capabilities?
Selecting from various vulnerability management solutions, Corrington sought out scalability, a robustness for detecting security weaknesses, and a breadth of knowledge of known security risks to arrive at Security QRadar Vulnerability Manager as its vulnerability management software solution of choice.
How does Security QRadar Vulnerability Manager do it?
First, Security QRadar Vulnerability Manager goes to the heart of risk management in an effort to adhere to quality standards. The most surprising function of vulnerability management is its scalable support for thousands of events per second. Scalability is a Security QRadar Vulnerability Manager detection and protection feature: It scans each network and software asset for each of its 70,000 cryptographs (security event definitions), which results in an enormous amount of log data results. Therefore, scalability is mission-critical. In answer to this need, the scalability of the product is twofold: scalable protection of big data using event and log sources and scalable performance of real-time forensic detection.
But when working with large amounts of data, you must also ensure near-real-time performance at a minimum. Security QRadar Vulnerability Manager provided Corrington with the assurance of near-real-time and real-time performance for accessibility to essential logged information using a single, unified database. This feature is important because using a single, unified database supports system availability and disaster recovery options. For example, one disaster recovery option that Security QRadar Vulnerability Manager offers is uninterrupted log source data collection and storage, which aids in system restoration in the event of a disaster. Security QRadar Vulnerability Manager supplies its perpetual, automated logging processes to network infrastructures as an internal security service using the SIEM framework.
By default, this framework of rules for managing sequences of security events enables the Vulnerabilities tab in support of Security QRadar Vulnerability Manager. Just as Corrington's decision makers make better decisions when they are well informed, SIEM rules work best with a series of security events. Single events can trigger false-positive indicators, but a series of events better confirms a need to increase the priority risk level. Well-informed decision makers can also prioritize positive indicators by using high, medium, low, and warning security risk levels to facilitate timely, actionable responses to vulnerabilities and risks. Security QRadar Vulnerability Manager captures security events in a summary report that collects and associates security vulnerability information with network devices and software applications.
Moreover, SIEM integration facilitates faster installations of Security QRadar Vulnerability Manager. For example, the SIEM's structured approach and related QRadar Security Intelligence Platform products facilitate post-installation configuration.
Next, the captured report on security events is filtered to produce an actionable list of suspected incidents. This shared list of actionable, suspected incidents means that automations and human interactions can occur simultaneously to defend and protect the infrastructure using near-real-time visibility. Of note, Security QRadar Vulnerability Manager can fix most security events it encounters; other security events will require human interaction. This strong, technical support functionality benefits the Corrington human interaction staff as well as the organization's network infrastructure. In addition, Security QRadar Vulnerability Manager reports on its tasks of fixing known security events, adding business value because it produces a compound benefit of generating detailed reports for managing compliance as well as self-diagnostic repairs.
A vulnerability management solution that also generates highly informative compliance reports is worth its weight in gold to companies that have stringent IT auditing mandates. Moreover, the product's detailed reporting features can address an expansive list of regulations by assessing the effective and efficient use of a business' IT governance processes for managing compliance. Enforcing the necessary levels of compliance relies on accurate data access reports. Security QRadar Vulnerability Manager satisfies regulatory audit reporting requirements and allows businesses to customize their data-collection settings to capture and publish network connectivity data. Data access report formatting is a breeze with Security QRadar Vulnerability Manager, with capabilities for normalizing data as well as applying rules for report formats and output locations.
What Corrington gains from Security QRadar Vulnerability Manager is the capability to detect, identify, fix, and report security vulnerabilities, lifting the InfoSec issue to a new, comfortable level of operations. The success of Security QRadar Vulnerability Manager in managing vulnerabilities can be reflected in its deliverables to security teams, from finite reports to features and functionalities. The seven key Security QRadar Vulnerability Manager deliverables used often are:
- User Activity Report (UAR). UARs support effective threat management. What makes Security QRadar Vulnerability Manager effective at managing security threats is its use of vulnerability scanners to examine and scrutinize security breaches. For unknown vulnerabilities, automated fuzzy logic assays bridge the gap to find potential and hidden vulnerabilities. Cryptographic libraries cover known vulnerabilities. Examples include the anomalies of exploiting buffer overruns and zero-day Internet browser flaws such as the OpenSSL Heartbleed attack.
- Network anomaly detection.Network anomaly detection refers to the identification of nonconforming security events based on known sequences and patterns of secure computer system operations. In other words, Security QRadar Vulnerability Manager maintains a keen focus on expected security events while monitoring the network for any deviations from those expectations.
- Automated dashboards and reports. The means by which Security QRadar Vulnerability Manager is able to accomplish its keen detection of security risks in real time are rooted in its dynamic automation reporting and informative displays. Security QRadar Vulnerability Manager offers an extensive dashboard and reporting utility, with comprehensive compliance management; data-to-source traceability; and the filtering, configuring, and aggregating of SIEM reporting rules.
- Automated asset profiling. An Information Asset Profile (IAP) assists Security QRadar Vulnerability Manager in distinguishing among assets. Consequently, individual security levels can be applied to different asset types to better ensure cybersecurity. IAPs drive threat and risk assessments (TRAs), offering a level of detail that includes metadata and applicable policies. IAPs also allow data and information owners to classify their intellectual assets.
- Workflow management. Security QRadar Vulnerability Manager includes its own workflow management utility that delegates tasks to designated security team members. Using resource-allocation techniques, detected security risks become work assignments. Workflow management then tracks the work assignments and generates compliance reports based on parameters the security team sets.
- Tracking threats. The challenges are many when ensuring multiplatform network security. New technologies appear in commercial markets every day, posing new vulnerability management challenges. In fact, recognizing security threats is only half the battle. Finding and prescribing solutions to security threats is the other half.
- Supporting resolution. The ability to pinpoint the origin of likely and possible security vulnerabilities goes to the heart of Security QRadar Vulnerability Manager functionality. The product can detect and resolve risks in both virtual and physical environments.
How do Security QRadar products support Security QRadar Vulnerability Manager?
In support of Corrington's InfoSec capabilities for tracking and monitoring security events, the Security QRadar products use the Security QRadar Vulnerability Manager life cycle. With this life cycle, shown in Figure 2, real-time vulnerability scanning becomes accurate and easy to use, producing predictable outcomes.
Three Security QRadar core products drive the bulk of the platform's functionality: Security QRadar Log Manager, Risk Manager, and Vulnerability Manager. Security QRadar Log Manager is a powerhouse component that collects, analyzes, and archives large volumes of security-related event log data to create a searchable data source. The Security QRadar Vulnerability Manager life cycle uses this log data for reporting, auditing, and analysis. By capturing and processing large volumes of event data, Security QRadar Log Manager supports Security QRadar Vulnerability Manager with an easy-to-deploy template that scales with the use of Security QRadar processor appliances.
Security QRadar Log Manager also performs near-real-time visibility to reveal potential threats. Security teams require a comprehensive view of the devices, networks, and applications they monitor and protect. Moreover, Security QRadar Log Manager can easily be configured to support regulatory compliance by identifying what are referred to as noncompliant regulator events. Security QRadar Log Manager can scan for any event that qualifies as noncompliant to such regulations as:
- Federal Information Security Management Act
- Health Insurance Portability and Accountability Act
- Sarbanes-Oxley Act
- Payment Card Industry Data Security Standard
Figure 2. The Security QRadar Vulnerability Manager life cycle
Because organizations can update the Security QRadar Vulnerability Manager library of known vulnerabilities to include custom policies, Corrington will be able to extend the list of regulations far beyond the above-listed laws and standards. In fact, Security QRadar Vulnerability Manager gets its strength from the continuous compliance monitoring that the Security QRadar Log Manager performs, including capabilities for monitoring, scanning, and detecting InfoSec vulnerabilities based on a dynamic list of known risks.
Automated or manual updates of the Security QRadar Vulnerability Manager Library are easily absorbed into the Security QRadar Log Manager continual monitoring routine. Security QRadar Vulnerability Manager reports automatically reflect any changes made to the library. Because every event that occurs on the computer or network device is recorded to a log, multifaceted compliance-reporting capabilities capture essentially every Security QRadar Log Manager action. A valuable use for this logged information is automated security TRAs. The TRA is the first step in any risk-management methodology, used to determine the extent of the potential threat and the risk associated with a company's information assets. Security TRAs drive the dynamic alerts and notifications that enable security teams to preempt security attacks, data breaches, and other unauthorized system access.
The Security QRadar Vulnerability Manager Correlation Engine performs this logging. The Correlation Engine works in real time and can log up to 20,000 alerts and notifications per second. Logged information is examined for risks, regulatory compliance, and any instance of unknown security events. I like its machine learning aspect of real-time security risk detection: After an unknown event has been identified, Security QRadar Vulnerability Manager can capture the situation for inclusion in its library of known risks, initializing the continual scanning of the event from that point forward.
Yes, Security QRadar Log Manager does work, but only when you use it. Business-critical networks require constant monitoring. To support auditing, policy, and regulatory requirements, Corrington will require that InfoSec defense automations are present to ensure the implementation of auditing, policy, and regulatory industry best practices.
Next, SIEM-integrated Security QRadar Risk Manager monitors, discovers, and prioritizes client-server security vulnerabilities prior to sending alerts and notifications to the security team. Corrington's security team can mitigate, avoid, avert, or accept InfoSec risks by using a six-ply risk management approach. Security QRadar Risk Manager divides risk management into six areas: (1) firewall configuration analyses, (2) connectivity visualization, (3) policy compliance monitoring, (4) network traffic monitoring, (5) network topology monitoring, and (6) malware risk monitoring.
In contrast, Security QRadar Vulnerability Manager epitomizes the idiom, "an ounce of prevention is worth a pound of cure," by proving that even a minimal amount of precaution can avert a crisis and reduce costs. Security QRadar Vulnerability Manager cuts to the chase by determining the potential severity level of a vulnerability. The severity or threat level of a vulnerability then triggers an automated investigation into the security event to thwart would-be security attacks.
Security QRadar Vulnerability Manager uses a five-ply approach to display the severity or threat level of a vulnerability: (1) a consolidated vulnerability view, (2) a custom context to identify key vulnerabilities, (3) discovery and highlighting more than 70,000 known dangerous vulnerabilities, (4) custom scheduling and event-driven scanning, and (5) asset discovery and profiling for 360-degree network visibility. A quick look at each of these approaches provides insight into the tool's inner workings (Table 1).
|Corrington's must-have||Corresponding Security QRadar Vulnerability Manager feature|
|Dashboard-style visibility into network events, vulnerabilities found, and scanning data||The consolidated vulnerability view assembles results from multiple vulnerability scans into a single view for tracking purposes and to better manage the vulnerabilities found.|
|A vulnerability analysis feature||The custom context to identify key vulnerabilities enables the analysis of vulnerabilities. This approach strongly supports the categories, normalization, categorization, and aggregation that Security QRadar Vulnerability Manager uses for vulnerability identification.|
|Significant knowledge of known vulnerabilities||Discovery and highlighting of more than 70,000 known dangerous vulnerabilities takes logical, abstract thoughts and forms patterns of recognition to identify known security attack scenarios and "learn" the unknown security attack scenarios.|
|Automated scheduling with event-driven events||Custom scheduling and event-driven scanning finds high-risk vulnerabilities and follows a high-priority procedure when higher severity or threat levels are reached.|
|Network discovery, with a system for indicating severities of security threats||Asset discovery and profiling for 360-degree network visibility scans the system for high-risk vulnerabilities and follows a high-priority procedure when higher severity or threat levels are reached.|
The various QRadar Security components work together to provide real-time security risk detection. Vulnerability management is a system-wide effort requiring the participation of the entire network. Although the core software components work together under one SIEM framework, other components, such as the QRadar Security appliances, console, and scanner, also serve important roles in detecting real-time security risks.
Most vulnerability management software solutions use a log correlation device. For QRadar Security, that device is referred to as an appliance—a single, all-in-one hardware device that provides 2 or 6 terabytes of dedicated log storage. This explains how the solution accommodates the needs of Corrington's accumulated log data resulting from continual vulnerability scans. In fact, host processor appliances support upwards of 750 event sources, and they can process 25,000 to 50,000 flows of packets per minute and a thousand events per second. The appliance is specifically used to perform real-time log correlation at a speed of up to 20,000 messages per second. Now, that's high performance. Interestingly, when deploying QRadar Security appliances, the vulnerability implementation can have only be one processor appliance, and, it can only be deployed to a QRadar Security console or managed host processor appliance. A QFlow is a QRadar Security-proprietary mechanism for controlling packet flows. QFlows perform deep network traffic packet inspections to analyze and identify associated standard and nonstandard vulnerabilities.
The QRadar Security console is a simple and easy-to-install Web-based portal for accessing and viewing SIEM-integrated activity events. The console provides real-time views of network activities and can be configured to scan external assets and even use various types of network scanners.
Conventional scanners were hardware based and portable for use in diagnosing instances of network traffic congestion. Eventually, a software version of the network scanner was developed. Vulnerability management software solutions have benefited from this innovation, offering a standard, built-in scanner. The scanner embedded in Security QRadar Vulnerability Manager serves as a primary source of data collection; organizations can add external scanners to Security QRadar Vulnerability Manager to produce additional data sources. Because the data that scanners generate can be searched, the business gains value. Security teams can search and find inventory, assets, devices, components, and root causes of security fault events for continuous business process improvement. Security QRadar Vulnerability Manager takes the various data sources into account to make the vulnerability management process even more meaningful.
A stimulating new approach to security, the QRadar Security framework rises to the occasion to provide the expertise, intelligence, and integration Corrington required to detect, set priorities for, and mitigate security breaches. A risk-based approach is required to prioritize assets and mitigate areas of highest risks, and the company needed consolidated view reporting to comprehensively manage the wide-ranging security aspects of enterprise infrastructures. Security QRadar Vulnerability Manager takes the lead, ensuring enterprise network security by using thousands of cryptographic vulnerability events and corrective security measures.
- Looking to break into the InfoSec world? Then check out the INFOSEC Institute's The Ramp with 5 Levels: Top 50 Information Security Interview Questions.
- Before embarking on an InfoSec project for your organization, be sure to read Key Elements of an Information Security Policy.
- Learn about the potential security problems surrounding cloud-based file-sharing websites.
- Thinking about incorporating QRadar Security into your security infrastructure? Read Horizontal solution or point solution for IT vulnerability management?
- Check out the family of QRadar Security Intelligence Platform products.
- Visit the Security on developerWorks community to find more how-to-guides, articles, videos, and demos our community resource library.
- Visit the Security on developerWorks blog to learn about new security-related how-to guides, articles, and demo videos.
- Sign up for the weekly Security on developerWorks newsletter for the latest security headlines.
- Follow @dwsecurity to get updates from the developerWorks security zone in real time.