QRadar Risk Manager feature overview

Use IBM QRadar Risk Manager features to manage risk in your network, monitor device configurations, view topologies, simulate changes to your network environment, and prioritize risks and vulnerabilities in your network.

Connections

Use the Connections feature to monitor the network connections of your local hosts. The connection graph provides a visual representation of the connections in your network. Use the time-series charts to access, navigate, and investigate connections from various views and perspectives. Run queries and reports on the network connections of your local hosts that are based on applications, ports, protocols, and websites that the local hosts can communicate with.

Configuration Monitor

Use Configuration Monitor to review and compare device configurations, and to manage security policies and to monitor device modifications within your network. Device configurations might include switches, routers, firewalls, and IPS devices in your network. For each device, you can view device configuration history, interfaces, and rules.

You can also compare configurations within a device and across devices to identify inconsistencies and configuration changes that introduce risk in your network.

Topology

The topology is a graphical representation that depicts the physical infrastructure and connectivity of your layer 3 network topology. The topology is drawn from configuration information that is imported from devices in your network by using Configuration Monitor.

The graph is created from detailed configuration information that is obtained from network devices, such as firewalls, routers, switches, and intrusion prevention systems (IPS).

Use the interactive graph in the topology to view connections between devices. A topology path search can determine how your network devices are communicating and the network path that they use to communicate. QRadar Risk Manager displays the path between a source and destination, along with the ports, protocols, and rules.

Policy Monitor

Use the policy monitor to define specific questions about risk in your network and then submit the question to QRadar Risk Manager.

QRadar Risk Manager evaluates the parameters that you define in your question and returns assets in your network to help you assess risk. The questions are based on a series of tests that can be combined and configured as required. QRadar Risk Manager provides many predefined policy monitor questions, and you can create your own custom questions. Policy monitor questions can be created for the following situations:

  • Communications that occur
  • Possible communications based on the configuration of firewalls and routers
  • Actual firewall rules (device tests)

The policy monitor uses data from configuration data, network activity data, network and security events, and vulnerability scan data to determine the appropriate response. QRadar Risk Manager provides policy templates to help you determine risk across multiple regulatory mandates and information security best practices, such as PCI, HIPPA, and ISO 27001. You can update the templates to align with your corporate defined information security policies. When the response is complete, you can accept the response to the question and define how you want the system to respond to unaccepted results.

You can actively monitor an unlimited number of questions in policy monitor. When a question is monitored, QRadar Risk Manager continuously evaluates the question for unapproved results. When unapproved results are discovered, configure QRadar Risk Manager to send email notifications, display notifications, generate a syslog event or create an offense in QRadar SIEM.

Policy Management

You use the QRadar Risk Manager policy management pages to view details about policy compliance and policy risk changes for assets, policies, and policy checks.

QRadar Risk Manager displays data from the last run policy. You can filter the data by asset, by policy, or by policy check.

Simulation

Use simulations to create a simulated attack on your topology based on a series of parameters that are configured in a similar manner to the policy monitor. You can create a simulated attack on your current network topology, or create a topology model.

Simulate an attack by using a topology model where you can make network changes without impacting a live network.

You can simulate how changes to network rules, ports, protocols, or allowed or denied connections can affect your network. Use a simulation to determine the risk impact of proposed changes to your network configuration before you implement these changes.

You can review the results when a simulation is complete.

QRadar Risk Manager allows up to 10 simulations to be actively monitored. When a simulation is monitored, QRadar Risk Manager continuously analyzes the topology for unapproved results. As unapproved results are discovered, QRadar Risk Manager can send email, display notifications, generate a syslog event, or create an offense in QRadar SIEM.

Reports

Use the Reports tab to create specific reports, based on data available in QRadar Risk Manager, such as connections, device rules, and device unused objects.
The following detailed reports are also available:
  • Connections between devices
  • Firewall rules on a device
  • Unused objects on a device

Unsupported features in IBM QRadar Risk Manager

The following QRadar Console features are not supported by QRadar Risk Manager:

  • High availability (HA)
  • Dynamic Routing for Border Gateway Protocol (BGP)
  • Non-contiguous network masks
  • Load-balanced routes