IBM QRadar remains one of the most popular SIEMs on the market. At Verodin, we have a large number of customers leveraging QRadar as well as other industry-leading products. We’ve written detailed, technical instrumentation blogs for some of these products , including Splunk, Palo Alto Next-Generation Firewalls, and Snort. In the spirit of those product blogs, this blog will focus on how Verodin SIP can improve the effectiveness of QRadar.
For the purposes of this blog, we are using Verodin SIP to validate that Palo Alto Firewall events are being effectively communicated to QRadar and that QRadar is effectively correlating those events so that a security analyst will be alerted. Specifically, we will be using Hancitor Malspam Zeus Panda Banker for the test. You can read about the Hancitor technical details at Malware-Traffic-Analysis.Net.
When using Verodin SIP, the first step in validating the Palo Alto and QRadar efficacy is selecting the test you would like to run. Pictured below is the Verodin SIP Director. Once you’re in the Attack Library, search for and select Hancitor.
Verodin SIP makes the entire Hancitor PCAP viewable as illustrated below. This PCAP is the actual attack and will be safely utilized for bi-directional communication between Verodin SIP Actors. Verodin SIP ships with a large library of attacks, updates them frequently, and because Verodin SIP is an Open Content Platform, you can pull attacks in from public sources such as malware-traffic-analys.net, local packet captures, threat intelligence feeds, and your industry ISACs, and you can also leverage shells, DNS, sockets, and your own attacks such as those written in Python.
Note that Verodin SIP Actors only attack each other, and by doing so, are validating the efficacy of your security controls. Actors do not attack your assets directly. In terms of the PCAP, we are validating if your Palo Alto Firewall is detecting and/or preventing the attack. Later in the blog we’ll explore how, through the Verodin SIP Director API integration with QRadar, we’ll have visibility into knowing if the Palo Alto Firewall events made it to QRadar properly parsed, with the right timestamps, etc., and if QRadar created a correlated event that a human will notice and can respond to.
As you can see below, once we select Hancitor, we distinguish which Actors we want to run the test. We have a Palo between the Desktop Zone and Internet Zone. So those are the Source (attacker) and Destination (target) Actors we select.
The Verodin Director Job Status view shown below reveals that the Hancitor attack executed between the Desktop Zone and the Internet Zone Actors was blocked by Palo and also that there are 11 events created from an incident detection perspective.
Let’s drill into this summary above to get the details shown below. Areas of note for Palo are that the blocked events are successfully logged to Palo. This is good. We even see Hancitor being called out as opposed to some unknown attack. This is very good.
For QRadar we see various events during the Hancitor attack coming from both Palo and Snort. Unfortunately, while QRadar is successfully getting events with good parsing and time, Palo and Snort are not resulting in a correlated event (as noted in the part of the next screenshot under the “Events That Didn’t Match a Rule” column). This is a problem because most organizations are receiving thousands of events a second and uncorrelated events will get lost in the noise. This greatly reduces the chance of an analyst taking a look at the incident.
This is a prime example of having good security tools but because the tools have never been validated and instrumented to ensure they are working correctly, they are not providing value from a financial perspective and they aren’t effectively mitigating risk.
This is an extremely common issue. Organizations can have great tools and awesome people, but without a solution to instrument, they are simply wasting time, money, and resources and managing security based on assumptions.
Now let’s pivot to QRadar. In the image below, we are simply adding a filter to look at a specific Log Source – in this case: Palo.
Now that we’ve filtered the log source to Palo, we can drill into some of the events in QRadar. As shown below, we have a “Virus Detected” message from the Palo event in QRadar that contains “Virus/Win32.WGeneric.sckvj.”
We also see a “Browser Exploit.” This is identified as “Hancitor.Gen Command and Control Traffic” as shown below.
The bottom line is that we’ve got lots of great data in Palo that was created during the Verodin SIP test and these events are showing up in QRadar. Now we can take this Verodin SIP-identified data and build a QRadar rule. Using the QRadar Rule Wizard below, we can go through the process of building the rule. As you can see, we’re going to base the rule on the event payload (“payload” in this context being the Palo message reported to QRadar).
There are other capabilities through the QRadar Rule Wizard, such as the Rule Response section, which can help with alerting and reporting. But I’m going to skip that for blog brevity and stay focused on our primary instrumentation task.
We’ve built a rule in QRadar. The next step is to validate that the rule works. This is called configuration assurance, but it simply means checking to see if the thing you just did is doing what you want.
As pictured below, within the Verodin SIP Director, we select “Run Again” to run the exact same Hancitor test between the exact same Verodin SIP Actors. As you can see, Palo still blocks the attack as we would expect since we didn’t change anything on Palo or any of the systems supporting Palo. Further, we see that there are 22 detection events. This is up from the 11 we had before instrumenting QRadar.
Success! When we drill into the events as shown below, we clearly see that QRadar is now firing a rule during the Hancitor test and that this rule is predicated on the Palo events. This level of validation is almost impossible to get with any other approach.
While this was a manual, ad-hoc test, Verodin SIP is designed to be automated in allowing for the initial effectiveness measurements across endpoint, network, email, and cloud security tools to be followed by ongoing environmental drift analysis. This ensures that what is working stays working and allows security analysts to manage by exception; they will be alerted if, in this example, Palo stops blocking and alerting on Hancitor and/or if QRadar stops receiving and correlating the events from Palo.
This blog represents a very specific and somewhat technical illustration of Verodin SIP capabilities. Similar capabilities include:
- Testing and tuning a wide range of security tools across endpoint, network, email, and cloud
- Purple teaming
- Segmentation validation
- Cloud visibility
- Validating policies, MSSPs, and SLAs
- War-gaming and incident response validation
- Measuring and improving against frameworks like MITRE ATT&CK, NIST CSF, and the Lockheed Martin Kill Chain
However, it’s important to note that Verodin SIP goes beyond these more technical use cases to also make the data relevant for business decision-makers looking for the answers to questions like:
- How effective are my security controls and are they providing the value for what we are spending?
- Where is the evidence of my actual risk as realized by empiric metrics about my security effectiveness?
- If my security tools were working last week, do I know if they’ve drifted from a known good state and have stopped providing the value I need?
- Can I rationalize the need for the security tools I have? What can I retire? Where do I have empiric evidence illustrating where I need to invest?
- Beyond my technology, how effective are my people and processes when interacting with these security tools?
Improving the effectiveness of specific security tools like QRadar is vital. But from a bigger picture perspective, cybersecurity is now a conversation at the highest levels of an organization that requires evidence for shareholder value and future expectations. There is greater alignment of cybersecurity with corporate responsibility as illustrated in reports (10-K), committee charters, and corporate governance documents. Security is no longer just about cyber risk; it’s about the financial and operational risk from cyber.
Check out how Verodin SIP can help your organization and request a demo.