Build security intelligence for cloud and virtualized environments with QRadar
Create proactive threat protection and detection of anomalies by using the IBM Security QRadar Intelligence Platform
Gaining better visibility into clouds with security intelligence
Organizations today are exposed to a greater volume and wider variety of attacks than in the past. These attacks are becoming increasingly more coordinated and targeted at critical organizational assets, including customer databases, intellectual property, and even physical assets that are driven by information systems. As organizations move their workloads to platforms such as cloud and virtual data centers, their need to track activities increases, for audit purposes and to effectively counter threats to the organizations’ virtualized infrastructure.
Security administrators typically worry about all the “W’s” of audit and compliance inside their cloud and virtual environments, such as, what event happened, when did it happen, where did it happen. For example, a security administrator might be interested in checking all failed and successful authentications across the environment, or he might want to know if there is a rapid rate of a specific event (such as the creation or deletion of virtual machines).
More specifically, in cloud, organizations are looking for better means to:
- Protect and track user activities on the virtual infrastructure
- Meet audit and compliance needs for virtual infrastructure
- Provide better visibility into what’s happening in the virtual infrastructure
- Obtain operational intelligence for the virtual infrastructure
Providing this kind of intelligence requires pulling together and analyzing data from various sources across the cloud.
Figure 1. Security intelligence involves collecting and analyzing events across various sources.
Security intelligence is the comprehensive, automated, and proactive way to identify, track, and address persistent threats by collecting, normalizing, and analyzing logs across this variety of sources in real time. For monitoring the cloud activities, the platform also needs to collect events from the hypervisors and cloud management platforms apart from the traditional data center infrastructure, databases, applications, and devices.
The IBM Security QRadar Security Intelligence Platform is an integrated family of products that collects and analyzes data from these various sources. IBM Security QRadar, with the newly available Device Specific Modules (DSMs), can also collect logs and events from the virtual infrastructure such as the VMware components. This article reviews these new capabilities in detail and demonstrates how you can track user activities, detect offenses, and stay ahead of the threats through real-time notifications on the dashboard. You can easily manage the security risks for your cloud with the ready-to-use audit and compliance reporting for all layers — including the virtual machines, hypervisors, and cloud management systems.
The following section highlights the IBM Security QRadar features and capabilities that provide security intelligence for a VMware-based virtualized environment.
Security Intelligence for VMware cloud and virtualized environments
A VMware vCloud environment consists of multiple components. The following table describes some of the critical components that you need to monitor to gain visibility into the cloud environment. For a comprehensive list of components and detailed vCloud architecture, see the VMware vCloud Architecture Toolkit. (See Related topics.)
Table 1. VMware vCloud components
|VMware vCloud Director||Layer of software
that abstracts virtual resources and shows vCloud components
to consumers. It includes: |
|VMware vSphere||Virtualization platform
that provides abstraction of physical infrastructure layer for
vCloud. It includes:|
As depicted in Figure 2, IBM Security QRadar collects task and event logs from the above-mentioned VMware components (primarily ESX/ESXi, vCenter, and vCloud) and classifies them under several categories. For example, the default event categories for vCloud Director include:
- User events
- Group events
- User role events
- Session events
- Organization events
- Network events
- Catalog events
- Virtual data center (VDC) events
QRadar performs intelligent correlation on the collected logs to detect any anomalies or incidents and alerts the security manager, enabling him to take appropriate action. The security manager might also use several customizable GUI features (such as dashboard, reports, and offense rules) to visually analyze logs that are collected over a period of days (for example, the past seven days) and prioritize his actions according to the severity of the offenses. All of the logs are presented from a centralized QRadar console, which makes managing and monitoring the cloud environment easier.
Figure 2. IBM Security Intelligence solutions for VMware vCloud
The following section highlights the IBM Security QRadar features and capabilities that provide security intelligence for a VMware-based virtualized environment.
Installing Device Support Modules (DSMs)
DSMs parse event information for QRadar to log and correlate events that are received from external sources such as security equipment (for example, firewalls) and network equipment (for example, switches and routers). You can download and install the VMware DSMs from IBM Support: Fix Central. See Related topics.
On the IBM Support: Fix Central page, select the product group Security Systems, and select Security QRadar SIEM for your installed version. All available DSMs and fixes for your installed version are displayed. You also need to download and install the respective protocol configurations for the DSMs, which are also available at IBM Support: Fix Central.
For example, the vCloud DSM for QRadar 7.2 would be 7.2.0-QRADAR-DSM-VMwarevCloud-7.2-606240.noarch.rpm, and the protocol configuration for the DSM would be 7.2.0-QRADAR-PROTOCOL-VMwarevCloud-7.2-606255.noarch.rpm.
Configuring the DSMs
You need to configure the DSMs for the following components:
- ESX / ESXi servers
- VMware vCenter
- VMware vCloud
The EMC VMware DSM for IBM Security QRadar can collect events by using the VMware or the syslog protocol. The VMware vCenter DSM for IBM Security QRadar collects vCenter server events by using the VMware protocol. The VMware protocol uses HTTPS to poll vCenter appliances for events. You need to configure a log source in QRadar to collect VMware vCenter events. Before you configure the log source, first create a unique user to poll for events. This user can be a member of the root or administrative group, but you must provide the user with an assigned role of read-only permission. The read-only permission ensures that QRadar can collect the maximum number of events and retain a level of security for your virtual servers. More information on user roles can be found in the VMware documentation. (See Related topics.)
QRadar supports polling for VMware vCloud Director events from vCloud Director 5.1 appliances, again by using the VMware protocol. QRadar collects security data from the vCloud API by polling the REST API of the vCloud appliance for events. Events that are collected by using the vCloud REST API are assembled as Log Extended Event Format (LEEF) events. Retrieving the VMware vCloud Director events and converting them to LEEF format is done by the QRadar DSM.
To integrate vCloud events with QRadar, you must complete the following tasks:
- On your vCloud appliance, configure a public address for the vCloud REST API.
- On your QRadar appliance, configure a log source to poll for vCloud events.
- Ensure that no firewall rules block communication between your vCloud appliance and the QRadar Console
Refer to the IBM Security QRadar DSM Configuration Guide for more details. See Related topics.
Adding the log sources
After the required DSMs and respective protocols are installed, configure the associated log sources.
Figure 3. Adding the log source
To add a log source:
- Click log sources in the IBM Security QRadar Admin tab to open a pop-up window.
- In the pop-up window, click Add.
- Select the log source type: EMC VMware for vCenter or VMware vCloud for vCloud.
- Select the appropriate protocol configuration.
The result of these steps resemble the screen capture that is displayed in Figure 3. You can use the EMC VMware log source type to connect with ESX Server or vCenter after you specify the respective IP address, user name, and password. Similarly, specify the IP address, user name, and password for vCloud Director to configure a vCloud log source.
Content package for VMware vCloud monitoring
The content package provides default content that comprises the Virtual Cloud Infrastructure dashboard, rules for notification and offense generation, and reports specific to VMware Virtual Cloud Infrastructure. The content can be customized to suit specific requirements of the user's virtual environment. The following sections give a walkthrough of sample content that you might develop on top of available default content. (Some of this content is part of the default content available through the package.) The content package is available as a patch with MR1 (Maintenance Release 1) for QRadar version 7.2. Existing QRadar customers at version 7.2 or below need to upgrade to 7.2 MR1 to get the content package updates.
Custom dashboard (Virtual Infrastructure Dashboard)
IBM Security QRadar provides a summary view to the security and compliance officer through a dashboard. The dashboard provides information on application overview, compliance overview, and system monitoring, plus threat and security monitoring. IBM Security QRadar also allows users to create custom dashboards. For ease of use, the cloud security administrator can create a custom dashboard for virtual infrastructure to monitor and track network and log activity that is related to his cloud infrastructure.
A sample dashboard
Figure 4 depicts the sample Virtual Cloud Infrastructure dashboard. The content and items in the dashboard can be defined based on requirements and can include many items that are of interest to the cloud security administrator. For example, this custom dashboard includes:
- Top VMware Virtual Infrastructure Authentication Events by Event Name. This item lists all authentication events from vCenter and vCloud environments, which are categorized by Number of Events in Y-axis versus List of Events in X-axis.
- Top VMware Virtual Infrastructure Authentication Failures by User Name. This item lists all authentication failures from vCenter and vCloud environments, which are categorized by Number of Events in Y-axis versus List of User Name in X-axis.
- System Notifications. This item reports on generic
system events and events specific to VMware vCloud and vCenter
environments. The VMware-specific notifications might include:
- vApp activities (such as create, delete, deploy, modify)
- vCenter destroy activities (such as datastore create, destroy)
- VM activities (create, delete, snapshot, failure messages, migrations)
- vCloud activities (such as Virtual DataCenter create or delete)
- vCenter Activities categorized by Event Name. This item lists events and task activities from VMware vCenter.
- vCloud Activities categorized by Event Name. This item lists events and task activities from VMware vCloud.
- Most Severe Offenses. This item lists high-magnitude
offenses that are detected by the QRadar system. This list also
includes offenses specific to VMware Virtual environments, such as:
- Violation of snapshot limit
- Detecting at least five destroy events within a half hour
- Detecting at least five VM create events within a half hour
- Detecting at least five VM delete events within a half hour
- Detecting at least five VM clone events within a half hour
- Most Recent Reports. As the name suggests, this item includes the most recent set of reports for the entire system, including reports specific to VMware Virtual environments.
Figure 4. Virtual infrastructure dashboard
Custom rules and offenses
Users can create a reference set (a set of elements) of the cloud resources and can create rules by using the rule wizard to detect any abnormal activity that is associated with the reference set or the cloud resources. These rules are used to alert an administrator to an offense whenever anomalies occur in the activities that happen inside his virtual or cloud environment. For example, suppose more than five snapshot create events that are initiated within a timespan of a minute and that this timespan is unusual in the environment. In such a situation, QRadar raises an offense so that the administrator can be alerted and take the appropriate steps to deal with the incident. Similar rules generate offenses for 5h3 rapid rate of VM or vApp creation, deletion, cloning, and other actions.
Figure 5. Offenses for Virtual Infrastructure
The rules are customizable. The administrator can set the limit for time span and number of events after which QRadar must trigger an offense.
The default reports pertaining to VMware Virtual environments are available under the Virtual Infrastructure folder and are categorized into two subcategories: Virtual Infrastructure (VI) Payment Cards Industry (PCI) and VI User Authentication reports.
The VI PCI subfolder generates PCI reports pertaining to the virtual infrastructure. These reports can be applied to environments that are subjected to PCI Compliance. Several reports cover PCI 8.1, which captures user identities within VI and PCI 10. Figure 6 shows a sample weekly report that is generated for the PCI 8.1 requirement for tracking and collecting all events that are related to unique IDs in the cloud.
Figure 6. Sample report for PCI 8.1 — Track and collect all events that are related to unique IDs in a VMware Virtual environment
The VI User Authentication subfolder contains reports that are related to user authentication within vCenter and vCloud environments. Each report is an aggregation of authentication failures and success events, which is generated on a daily, weekly, and monthly basis. Figure 7 shows a sample daily report that is generated for vCenter Authentication events (for the last 24 hours), categorized by user name.
Figure 7. Sample vCenter user authentication activity report
In this article, we discussed new IBM Security QRadar features available for VMware Cloud environments and focused on how to extend the default content package to build security intelligence for your cloud environment. We detailed of the steps to implement the solution for a VMware-based environment. Following a similar approach with IBM Security QRadar, you can easily build security intelligence for your other private and public cloud environments. With increased visibility and insight into virtual environments through the security intelligence solution, we hope to see more customers who gain confidence to move their workloads to cloud.
VMware, VMware vCloud, and VMworld are registered trademarks and or trademarks of VMware, Inc., in the United States and other jurisdictions. The use of the word “partner” or “partnership” does not imply a legal partnership relationship with VMware or any other company. All trademarks mentioned in this release are the property of their respective owners.
Our thanks to Nataraj Nagaratnam (IBM Distinguished Engineer and CTO, IBM Security Solutions) for encouraging and guiding us in writing this article. We would also like to thank our IBM colleagues Derek (D.T.) Lohnes, Corey Ferguson, Rory Bray, Colin Hay, and Peter Clark from the IBM QRadar Development and Integration Services team for all their support and guidance with the IBM QRadar DSMs and the content integration.
- The vCloud Architecture Toolkit helps you create a working cloud solution.
- Visit IBM Support: Fix Central to download the VMware DSMs.
- Consult the VMware documentation at the VMware website.
- Find more information on integrating vCloud events with IBM Security QRadar in the IBM Security QRadar DSM Configuration Guide.
- Follow Sreekanth Iyer's developerWorks blog "Point of Views" to keep abreast of the latest in cloud computing.
- Visit the Security on developerWorks blog to learn about new security-related how-to guides, articles, and demo videos.
- Sign up for the weekly Security on developerWorks newsletter for the latest security headlines.
- Follow @dwsecurity to get updates from the developerWorks security zone in real time.