Qradar (IBM SIEM Tool)


Evolution:

QRadar has been developed over the years from a company called Q1Labs Oda was acquired by IBM in 2012, QRadar acquired IBM All in the IBM Security Systems Security all security related issues so you can see that the plan to place the top of the solution, running.
Qradar is software that can be installed on RHEL6 (Red Hat Enterprise Linux).

                           [Related Link: https://www.crunchbase.com/organization/q1-labs#section-overview]



About Q1 Labs :


Q1 Labs has more than 1,800 clients globally, including healthcare providers, energy firms, retail organizations, utility companies, financial institutions, government agencies, educational institutions, and wireless service providers.

Q1 Labs software collects and analyzes information from hundreds of sources across an organization such as the network, applications, user activity, mobile endpoints, and physical security devices such as badge readers — including both cloud-based and on-premise sources.  

Its security information and event management (SIEM) software also helps IT staff and auditors manage the tracking of security incidents and model risk to better protect customers, while giving executives insight into the security and risk posture of the organization.  


                                                     [ Refer: https://www-03.ibm.com/press/us/en/pressrelease/35544.wss ]

IBM QRadar Platform

         QRadar is a platform of software that can help a security analist in his day to day activities. It priorities events that happen in a network that should get attention.

       QRadar gives full range real-time visibility of the entire IT infrastructure with the core SIEM
component and the following complimentary integrated modules:


  • Qradar Risk Manager (QRM) 
  • Qradar Vulnerability    Scanning/Management [QVM] 
  • Qradar Incident Forensics

Qradar Risk Manager [QRM]:

            it can read all of your configuration files of firewalls, routers, switches, etc. This risk manager can see if any of the activities found by the Radar 
        
           SIEM might go through a path in your network (Open ports and connections) to your vulnerable systems, and bring important events to the attention of the analyst.

Qradar Vulnerability Scanning/Management [QVM]:

QVM will scans your network to find what are the vulnerabilities are in your systems/Environment, scanning can be done through Nessus and Rapid7,
then starts to finds the solution for that vulnerability as well as Radar Vulnerability Manager [QVM] will keep track of these vulnerabilities by storing in the database which will correct the rules and also Report the Vulnerability Details to IBM QRadar SIEM.

QRadar SIEM can detect if in any of the systems of your network activities are ongoing that might exploit the vulnerabilities in your systems. 
This system can correct the risk score found by QVM and bring the risky events to the attention of the security analyst.

IBM QRadar Incident Forensics [QRIF]:

This module will retrace the step-by-step actions of a potential attacker and conduct an in-depth forensics investigation of malicious security incidents within hours or even in minutes.

Technically This tool can collect all of the network traffic to and from a system that is involved in a security incident. 
It can decrypt that traffic and find all the documents in that traffic (PDF’s Cascade Style Sheets, Email content, Files, Conversations etc.). 
So an analyst can dive into what happened during a security incident.


QRadar Main Features:


  • It is based on RHEL6, most of law data is stored on Ariel database,  Processed data and Configurations are stored on PostgreSQL.
  • Green boxes can be called core that collecting, processing, storing logs in QRadar.
  • All tasks are working on terminal and we can view this tasks also using SSL GUI Web Console, and we can work on Graphic interface.

Qradar Architecture and Components:

           IBM QRadar collects, processes, aggregates, and stores network data in real time. QRadar uses that data to manage network security by providing real-time information and monitoring, alerts and offenses, and responses to network threats.





The QRadar architecture functions the same way regardless of the size or number of components in a
deployment. The following three layers that are represented in the diagram represent the core
functionality of any QRadar system.


  1. Data collection
  2. Data processing
  3. Data searches


will discuss more regarding Components and it futures in next blog.

also refer IBM Qradar Guide:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.3/com.ibm.qradar.doc/b_siem_deployment.pdf












Comments

Post a Comment