About this document
The focus of this blueprint is to highlight early threat detection by IBM® QRadar® and to proactively start a cyber resilience workflow in response to a cyberattack or malicious user actions.
The workflow uses IBM Copy Services Manager (CSM) as orchestration software to start IBM DS8000® Safeguarded Copy functions. The Safeguarded Copy creates an immutable copy of the data in an air-gapped form on the same DS8000 system for isolation and eventual quick recovery.
This document also explains the steps that are involved to enable and forward IBM DS8000 audit logs to IBM QRadar.
It also discusses how to use create various rules to determine a threat, and configure and start a suitable response to the detected threat in IBM QRadar.
Finally, this document explains how to register a storage system and create a Scheduled Task by using CSM.
Executive summary
The financial effects of cyberattacks continue to rise. Cyberattacks can occur in various ways. They can take the form of malware or ransomware that is targeted at stealing confidential data or holding valuable information for ransom. Sometimes, these attacks are designed to destroy confidential data to cripple organizations. In many cases, data breaches involve internal threat actors.
Traditional approaches to data protection work well for their intended purposes but are not adequate to protect against cyberattacks, which can encrypt or otherwise corrupt your data. Remote replication for Disaster Recovery (DR) replicates all changes (malicious or not) to the remote copy. Also, data that is stored on offline media or the cloud might take too long to recover a widespread attack. Large-scale recovery can take anywhere between days to weeks, which leads to substantial downtime for businesses.
Detecting a threat before it starts can help speed recovery. IBM Security™ QRadar is a Security Information and Event Management (SIEM) and threat management system that monitors activities. It looks for signs that can indicate the start of an attack, such as logins from unusual IP addresses or outside business hours. Now, IBM QRadar can proactively start Safeguarded Copy to create a protected backup at the first sign of a threat.
The Safeguarded Copy function is designed to help businesses recover quickly and safely from a cyberattack, which helps reduce recovery to minutes or hours. It creates multiple recovery points for a production volume. These recovery points are called Safeguarded Copy backups.
The recovery data is not stored in separate regular volumes, but in a storage space that is called Safeguarded Copy backup capacity, which creates a logical air gap. The backups are not directly accessible by a host. Instead, the data can be used only after a backup is recovered to a separate Recovery volume.
If an attack occurs, the orchestration software, IBM Copy Services Manager, helps create and identify the best Safeguarded backup to use and automates the process to restore data to online volumes. Because a restore action uses the same snapshot technology, it is almost instant; therefore, it is much faster than the use of offline copies or copies that are stored in the cloud.
Scope
The focus of this document is to showcase the early threat detection on IBM DS8000 storage system. It proactively starts Safeguarded Copy to create an immutable backup at the first sign of a threat. IBM Copy Services Manager orchestration software is used to interact with DS8000 system to start a backup, and it is used to recover or restore the backup.
As part of early threat detection, several rules are described and also, a sample Python script is provided that was used to start the Safeguarded Copy action. This document also explains several sample control path and data path use cases.
Customers are encouraged to create control path and data path use cases, and customize IBM QRadar rules and custom response scripts that are best suited to their environment. The use cases, rules, and Python script should be seen as templates or guardrails and might not be used “as-is” in an environment.
The solution that is featured in this blueprint is created by using IBM QRadar release 7.4.2, IBM DS8000, and IBM Copy Services Manager 6.3. The CSM Scheduled task feature is heavily relied upon to create the required workflow.
The sample workflow that is explained in as part of the solution and involves suspending the copy or mirroring of volumes, a wait confirmation of suspension, starting Safeguarded Copy, and then, and resuming the volume copying or mirroring.
All components that are described in this document, such as, IBM QRadar, IBM Copy Services Manager, and IBM DS8000 are in same network segment. Other network planning is required if these systems are in different networks.
For more information about IBM QRadar, Safeguarded Copy, and Copy Services Manager, see “Resources” on page 35.
|
Note: This solution is not supported by the GDPS feature.
|
Introduction
Combining the capabilities of IBM DS8000 Safeguarded Copy and IBM QRadar enables enterprises to build comprehensive cyber resilience solutions that address not only the protect and recover functions of the NIST framework, but also the detect and respond functions.
IBM DS8000 can log all administrative activities in the access logs, which have all storage objects access information. To identify and detect potential malicious access and for compliance auditing purposes, such access logs must be integrated with the SIEM solution.
By combining IBM DS8000 administration access logs, application logs, network or server logs, and flow and packet data, IBM QRadar also can provide complete protection to the enterprise data.
IBM DS8000 Safeguarded Copy feature
The Safeguarded Copy feature creates safeguarded backups that are not accessible by the host system. It also protects these backups from corruption that can occur in the production environment. A Safeguarded Copy schedule can be defined to create multiple backups regularly, such as hourly or daily.
Safeguarded Copy can create backups with more frequency and capacity in comparison to FlashCopy volumes. The creation of safeguarded backups also has less performance impact than the multiple target volumes that are created by FlashCopy.
The safeguarded source volume cannot be removed before the safeguarded backups are deleted. The maximum safeguarded virtual backup capacity size is 16 TiB for CKD and FB data.
The Safeguarded Copy function provides backup copies to recover data if logical corruption occurs or primary data is destroyed.
Safeguarded Copy uses a backup capacity, production volume, and recovery volume:
•Backup capacity can be created for any production volume. The size of the backup capacity depends on the frequency of the backups, and the duration that backups must be retained.
The Safeguarded Copy session creates a consistency group across the source volumes to create a safeguarded backup, which stores the required data in the backup capacity.
•The production volume is the source volume for a Safeguarded Copy relationship. Depending on the specific client topology, this relationship can be a Metro Mirror, Global Mirror, or z/OS Global Mirror primary or secondary volume, or a Simplex volume.
•A recovery volume is used to restore a backup copy for host access while production runs on the production volume. The recovery volume is the target volume for a Safeguarded Copy recovery, which enables a previous backup copy to be accessed by a host that is attached to this volume. The recovery volume is typically thin-provisioned, but it is not required to be.
Management of Safeguarded Copy is supported by Copy Services Manager 6.2.3 or later and IBM GDPS® 4.2 or later. The management software allows creating and recovering backups and defining policies for expiration.
IBM Copy Service Manager
IBM® CSM controls copy services in storage environments. Copy services are features that are used by storage systems, such as IBM DS8000 to configure, manage, and monitor data-copy functions.
Copy services include the following examples:
•IBM FlashCopy
•Metro Mirror
•Global Mirror
•Metro Global Mirror
CSM runs on Windows, AIX®, Linux, Linux on z Systems®, and IBM z/OS® operating systems. When it is running on z/OS, Copy Services Manager uses the Fibre Channel connection (IBM FICON®) to connect to and manage count-key data (CKD) volumes.
The fully licensed version of Copy Services Manager provides all supported IBM FlashCopy®, Metro Mirror, Global Copy, Global Mirror, Metro Global Mirror, and multi-target solutions.
Copy Services Manager provides a graphical user interface (GUI), a command-line interface (CLI), and RESTful (Representational State Transfer) API possibility for managing data replication and Disaster Recovery (DR). Staring with Copy Services Manager 6.2.9, the online help also integrates with the RESTful API.
IBM QRadar
IBM QRadar Security Intelligence Platform products provide a unified architecture for integrating SIEM, log management, anomaly detection, incident forensics, and configuration and vulnerability management. It is one of the most popular SIEM solutions on the market today.
It provides powerful cyber resilience and threat detection features, such as centralized visibility, flexible deployment, automated intelligence, machine learning, proactive threat hunting, and much more.
IBM QRadar can detect malicious patterns by using several data sources and analysis tools and techniques, including access logs, heuristics, correlation with logs from other systems, such as network logs or server logs, network flow and packet data. Its open architecture enables third-party interoperability so that many solutions can be integrated, which makes it even more scalable and robust.
To apply the security and compliance policies, QRadar Administrators can perform the following tasks:
•Search event data by using specific criteria and display events that match the search criteria in a results list. Select, organize, and group the columns of event data.
•Visually monitor and investigate flow data in real time, or perform advanced searches to filter the displayed flows. View flow information to determine how and what network traffic is communicated.
•View all the learned assets or search for specific assets in your environment.
•Investigate offenses, source and destination IP addresses, network behaviors, and anomalies on your network.
•Edit, create, schedule, and distribute default or custom reports.
Prerequisites
The following prerequisites must be met this solution:
•The firewall rules between IBM QRadar and IBM DS8000® storage are adjusted to allow traffic on 514/tcp or 514/udp. Also, the firewall rules are adjusted to allow traffic between IBM QRadar host and IBM Copy Services Manager on port tcp/9595.
•IBM Copy Services Manager (CSM) 6.2.3 or later is available and the IBM DS8000 storage is registered in CSM by using administrator privileges.
For more information about CSM document references, see “Resources” on page 35.
•A scheduled task must be defined in CSM that consists of various operations depending upon the functions that are used in the storage system. For example, when Copy services, such as Metro or Global Mirror are used, writes to target volumes must be suspended to achieve a consistent state before a safeguarded copy backup can be made.
•Safeguarded virtual capacity is provisioned. For more information about configuring safeguarded virtual capacity, see “Resources” on page 35.
• The recovery volume is configured before the safeguarded backup copy session is created in CSM.
•Understand DS8000 storage for working with volumes and safeguarded virtual capacity allotment.
Solution overview
Organizations can face threats in many ways. Compromised user credentials by using sphere fishing attack, a rouge user within the organization or cyberattacks, such as brute force attempts, or ransomware. Any of these threats pose grave risks to storage systems that are used for storing the data.
To track the administrative action, the solution implements various control path use cases. To track the changes from application data, a data path use case is discussed.
A syslog configuration is created in IBM DS8000 that allows storage events to be forwarded to IBM QRadar. IBM QRadar understands the authorization events that are forwarded by DS8000 and categorizes them correctly. Other storage-specific events must be mapped to correct QRadar identifiers (QIDs) for storage-specific operation categorization.
After the events classification is completed, QRadar administrator can define several rules to detect threats that are categorized under the control and data path. Upon threat detection, a cyberresiliency response is started in the form python script that uses API commands to run a predefined CSM scheduled task.
The scheduled task feature of CSM is chosen because it provides flexibility to run various operations, including conditional execution based on the specific state of previously run commands.
An overview of the solution is shown in Figure 1.
Figure 1 Solution overview
Control path use cases
The following sample control path use cases are common. Although this list by no means is an exhaustive collection, it does generalizes the idea of a threat. Ultimately, the security policy of the organization defines a threat:
• Administrator logins are detected outside business hours
Administrators must always log on to the system to solve one or the other issue. However, what if an administrator is logging on to a system that has no open incident tickets? How can this login action be justified? More importantly, how can this action be tracked?
• Same administrator user logs on from multiple locations or IP addresses at the same time
This issue is a classic case of compromised or shared credentials. A legitimate user might be oblivious of the second sessions activity under same login. What if one the sessions is malicious?
•Space unmap command is urn
This simple command features dangerous consequences. It can easily go undetected and cause logical corruption on the storage volumes by overwriting the data in volumes.
Data path use case
Figure 2 shows a typical three-tier application infrastructure with QRadar monitoring telemetry from all of the sources within the environment. The audit log events from the host/web/app/database tier can be used to determine a brute force attack threat.
Figure 2 Sample application infrastructure
For this solution, the brute force log in on the database server was attempted. The failed logins helped trigger events to QRadar to fulfill the threat conditions. Also, the cyberresiliency workflow started the CSM scheduled task to create Safeguarded Copy backup by suspending Global Mirror and restarting copy session post backup.
Lab setup
This section explains the lab setup that was used.
DS8000 topology
The lab setup consisted of 3 DS8000 systems in a three-site configuration (see Figure 3).
Figure 3 Three-site configuration
The three-site configuration consisted of Metro Mirror (Oscar + Loompa) and Global Mirror (Oscar + Willie) between the three DS8000 systems (see Figure 4).
Figure 4 Three-site volume configuration
The site H3 (shown as “willie”) was configured with safeguarded virtual capacity (see Figure 5).
Figure 5 Safeguarded copy volume
A Linux host was used where the volumes from H1 site were mapped. A database workload simulator was run on the Linux host to maintain write activity on the primary volumes. The block changes that were induced by writes on primary site traveled downstream with Metro and Global Mirror relationship.
Audit logging was enabled on all the three DS8000 systems by using syslog setup. As QRadar understands the syslog event format, it automatically creates a LinuxServer type log source and the events are categorized . This categorization must be changed to storage-specific actions that consist of, but are not limited to, Volume Creation or Volume Deletion. A sample mapping for the Create Volume event is shown in “Setting up IBM Copy Services Manager” on page 14.
Setting up audit log forwarding from IBM DS8000
Complete the following steps to enable audit log forwarding from IBM DS8000 to IBM QRadar:
1. Log in to DS8000 GUI interface.
2. Click Settings → Notifications and then, click Add Syslog Server.
3. Enter the IP address of QRadar host. Keep the default value for port as it is (see Figure 6).
Figure 6 Adding syslog server by using DS8000 GUI
4. To add the syslog server by using the CLI, run following command from DSCLI command prompt:
dscli> mksyslogserver -ipaddr 9.11.221.149 -serverport 514 -type all syslog_1
The syslog events are forwarded by DS8000 are understood by QRadar as Linux events and a Log source is automatically defined. Although this process works for most of the login and operating system operations, the storage-specific events require more categorization, as described next.
Working with QRadar Events
This section describes how to use the device support module (DSM) editor to correctly categorize the storage-related actions events that are incorrectly mapped as Linux events. Also, the after new event mapping is created, subsequent events are mapped correctly. The process must be repeated for every storage event that you want to monitor.
Under QRadar’s Log Activity tab, select the events that must be categorized from Action drop-down menu and then, select the DSM Editor option (see Figure 7).
Figure 7 Starting DSM editor
The DSM editor shows that the selected sample events are generated for the Volume_Create action. However, these events are incorrectly mapped as Linux Auth Server events (see Figure 8).
Figure 8 Sample audit event
Complete the following steps to map this event:
1. In the Log Source Type window on the Properties tab, search for Event Category and click Open the Property.
2. Click the Edit option and enter the regular expression. Repeat the step for the Event ID property. It is possible to provide multiple criteria for a specific property to extract specific value from the event (see Figure 9).
Figure 9 Regular expression for Event ID and Event Category
Notice that after the properties are updated with the regular expression, the events status is changed to Parsed but not Mapped in the Log Activity Preview window (see Figure 10).
Figure 10 Partially parsed event
3. To perform event mapping, click the Event Mappings tab page in the Log Source Type window and click (+) to open the Create new Event Mapping window. Click Choose QID hyperlink (see Figure 11).
Figure 11 Creating an even mapping
4. Choose the QID record by selecting suitable category. It is also possible to provide filter criteria to limit number of QID entries (see Figure 12).
Figure 12 Choosing the QID record
5. Select the QID record to change the event status to Parsed and Mapped in the Log Activity Preview window (see Figure 13).
Figure 13 Log Activity Preview window
6. Click Save to save the changes.
Setting up IBM Copy Services Manager
This section describes the Copy Services sessions setup between DS8000 hosts with a three-Site configuration. A quick introduction about scheduled tasks, sessions, and copy sets is provided here. For more information, see “Resources” on page 35.
Scheduled tasks
Starting with Copy Services Manager Version 6.2.1, you can use a GUI wizard to schedule tasks. As of this writing, tasks can be scheduled only against sessions. The scheduled tasks can consist of one or more actions, including issuing commands, and waiting for states.
The Wait for State action ensures that the next action in the list does not occur until the session is in the correct state. The list of actions that you create in the wizard occur sequentially. Therefore, the Wait for State action delays the next action in the task from running until the specified state is reached. The task fails if the state is not reached. For more information about scheduled tasks, see “Resources” on page 35.
Session
A session completes a specific type of data replication for a specific set of volumes. During data replication, data is copied from a source volume to one or more target volumes, depending on the session type. The source volume and target volumes that contain copies of the same data are collectively referred to as a copy set. A session can contain one or more copy sets.
Sessions are referred to as:
•Single-target: The source volume site can have only one target site. Data replication occurs from the source to the target.
•Multi-target: The source volume site can have multiple target sites. Data replication can occur from the source to an individual target or to all targets simultaneously.
Copy sets
The number of volumes in the copy set and the role that each volume plays is determined by the session type that is associated with the session to which the copy set belongs.
For the lab setup, Metro Mirror - Global Mirror session was chosen for three-site configuration, and a Safeguarded Copy session was created for the backup.
Creating a Metro Mirror - Global Mirror session in CSM
Complete the following steps to create a Metro Mirror - Global Mirror session in CSM:
1. Log in to CSM, and click Sessions. Then, click Create Session to begin the session creation wizard.
2. Confirm the correct storage in the Hardware type combination box. Select Metro Mirror - Global Mirror from Session type combination box. Enter a session name and then, choose the suitable locations and click OK (see Figure 14).
Figure 14 Create session wizard (step1)
Figure 15 Create session (step 2)
4. Select the suitable Host1 storage system, logical storage subsystem (LSS), and volumes from the chosen LSS and click Next (see Figure 16). It is also possible to create a CSV file when working with large numbers of volumes and import them.
Figure 16 Selecting the Host1 storage system
5. On the next page of wizard, select the Host2 storage system and Host2 LSS and volumes from the LSS (see Figure 17).
Figure 17 Selecting the Host2 storage system
6. On the next page of wizard, select the Host3 storage system, LSS, and volumes from the LSS (see Figure 18).
Figure 18 Selecting the Host3 storage system
7. Select the Journal storage system and suitable Journal LSS in the next window. Journal volumes are automatically selected and other selections are unavailable, which prohibits any other selections from being made here (see Figure 19).
Figure 19 Selecting the Journal3 storage system
The user-selected values are validated and the result is displayed in the next window (see Figure 20).
Figure 20 Matching Results window
8. The next window shows all of the available copy sets. Details of a single copy set can be seen by clicking Show in the Copy Set column (see Figure 21).
Figure 21 Select Copy Sets window
Figure 22 Confirmation window
The last window shows the results of adding the copy sets to the session (see Figure 23).
Figure 23 Add copy sets wizard Result window
10. Repeat the process of adding the copy set for the next LSS. In the lab environment, the volumes from two LSSs were added for the copy services session.
Creating a Safeguarded Copy session in CSM
Complete the following steps to create a safeguarded copy session in CSM:
1. Log in to CSM and then, click Sessions. Then, click Create Session to begin session creation wizard.
2. Select the correct storage from Hardware type box. Select Metro Mirror - Global Mirror from Session type box.
Figure 24 Create session wizard for Safeguarded Copy
4. Click Launch Copy Sets Wizard in the confirmation dialog box to start the Copy Sets Wizard.
5. Select the suitable Host1 storage system, and Host1 LSS and then, the Host1 volumes from the selected LSS. Click Next. It is also possible to create a CSV file when working with large number of volumes and import them.
6. Choose the Recover1 storage system and Recover1 LSS. The Recovery1 volumes are automatically selected, which prohibits any user selection (see Figure 25).
Figure 25 Safeguarded Copy session Recover storage system and LSS selection
A selection window with all the matched volumes is presented. This warning is expected and can be ignored because as the source (Host1) volumes are part of Copy Services session that was defined (see Figure 26).
Figure 26 Safeguarded Copy, Copy Set information
7. Confirm the selections that were made and repeat the process for the second LSS to add the volumes. The actions that were performed thus far also are logged in the console log (see Figure 27).
Figure 27 CSM Console log output
Now, CSM sessions for Copy Services and Safeguarded Copy are configured.
Creating a scheduled task to issue Safeguarded Copy backup in CSM
Complete the following steps to create a scheduled task to issue a safeguarded copy backup in CSM:
1. Log in to CSM and then, click Settings → Scheduled Tasks. Click Create Task to start the wizard.
2. Enter a name and description for the task and then, click Next
3. Select the No Schedule option in the How often do you want the task to run? window and then, click Next.
4. Click Add Action in the What action would you like to perform? window.
5. Select the Command option in the Type field and then, select the Copy Services session name and Suspend option from the Command menu. Click OK (see Figure 28).
Figure 28 Creating a task
6. Click Add Action again and select the Wait for State option from Type menu. Select the same Session Name from Step 5 and then, select the Suspended option from the State menu. Enter a timeout value in minutes in the Time field and then, click OK (see Figure 29).
Figure 29 Selecting the Suspend option
7. Click Add Action again and select the Backup option from the Type menu. Then, select the Safeguarded Copy session name and click OK (see Figure 30).
Figure 30 Selecting the Backup command option
8. Click Add Action and select the Command option from Type menu. Then, select the Copy Services session and select the Start H1 → H2 H1 → H3 option from Command menu see Figure 31).
Figure 31 Selecting the command option
9. The scheduled tasks actions definition is now complete. Optionally, choose to run a task in case of success or failure (see Figure 32).
Figure 32 Selecting a task to run
The window of the wizard is summary of the scheduled task (see Figure 33).
Figure 33 Scheduled Task Summary window
10. Review the actions and click Finish to complete the wizard.
Threat detection in QRadar
Threats are detected by the rules engine in QRadar. The rules engine applies various conditions on the normalized events to determine the threat.
After the threat is detected, its severity can be determined and a response can be generated that is based properties that are extracted from the events. In addition to the response, the QRadar administrator also can choose to raise an offense. The sample rule configuration that is used to determine the threat of Brute force login attack is described in this section.
Complete the following steps:
1. Log in to QRadar by using administrator’s privileges.
2. Click the Admin tab and then, click Define Actions under Custom Actions. Click Add to define a custom action.
3. Define a custom action as shown Figure 34. Both CSM_USER and CSM_PASSWD parameters are base64 encoded strings.
Figure 34 Custom action definition
4. Click OK to save the changes and acknowledge the dialog box to deploy the script.
5. Return to the Admin tab. Notice the message about undeployed changes (see Figure 35). Click Deploy Changes to deploy the changes made.
Figure 35 Deploy changes post custom action definition
6. Click the Log Activity tab and click Rules → Rules option. Click Next in the Custom Rule Wizard welcome window.
7. Select Events as the Source to generate the rule and then, click Next.
8. In the Rules Test Stack Editor window, use the event matches criteria to filter the rules and click the green (+) icon to add the first rule. The bold words act as hyper-links for selecting suitable properties (see Figure 36).
Figure 36 Filtering event rule
9. Click Rules to select the property, search for Authentication Failure and select the property that starts with BB:CategoryDefinition:Authentication Failure. Click Add+ and then, click Submit (see Figure 37).
Figure 37 Property value search and selection
10. Use the filter text and add the next rule (see Figure 38).
Figure 38 Filter text to select rule
11. Complete the following steps:
a. Click this many and write 10.
b. Click Event Properties and choose Username.
c. Click this many minutes and choose 5 minutes.
12. Use the filter text and add the next rule (see Figure 39).
Figure 39 Filter text to select rule
13. Click these log sources and choose the log source that is automatically defined by QRadar for the Linux host.
14. After all of the property values are updated, the completed rule resembles the rule that is shown in Figure 40.
Figure 40 Rule defined by selecting appropriate property values
Now, the rule also is given a name for identifying its purpose and a group is chosen to which this rule can become member. In the lab setup, the rule was made part of three groups, Authentication, Recon, and DS8K-CR for rule categorization. Of the three groups, the DS8K-CR group name is custom created. Also, the notes that describe the purpose of the rule are provided for future reference.
12. Click Next to configure the Rule Response window. It is divided into the following sections:
◦ Rule Action
Various properties are configured in this window. An offense also is generated when this rule is triggered and the property Username is used to identify the offending user attempting the brute force login (see Figure 41).
Figure 41 Configuring Rule Action
◦ Rule Response
A new event was generated with a specific name and description to indicate that the rule was triggered. In this section, the custom action also is chosen in response to detected threat (see Figure 42).
Figure 42 Configuring Rule Response
◦ Response Limiter
As the name suggests, this parameter limits the response by the rule. In this example, the rule response was set to single execution for every 30 minutes (see Figure 43).
Figure 43 Rule Response Limiter and Rule State
◦ Enable Rule
Multiple rules can be configured for testing different conditions to detect the threat, and a single rule can be enabled by using this property (see Figure 43).
15. The final window of the Rule Wizard shows the summary of the rule that was created. Validate the selection that was made and click Finish to save the rule and close the wizard.
Figure 44 Rule Summary window
Other QRadar rules summary
This section summarizes the following rules that are defined in IBM QRadar to cover control path use cases:
•Admin login detection outside business hours without any valid incident report against storage system (see Figure 45).
Figure 45 Admin log in outside business hours
•Same admin login detected from multiple places (see Figure 46).
Figure 46 Same admin logins from multiple locations
Figure 47 Specific operating system command execution
Brute force login attack generation
To audit the activities on the Linux host, the rsyslog package was installed and a configuration file (qr_forward.conf) was created in /etc/rsyslog.d. For more information about the contents of the qr_forward.conf file, see “Appendix A” on page 34.
A brute force login attack was generated against the host by using SSH. Multiple failed SSH logins were recorded by audit log and the audit log events were forwarded to QRadar by using the rsyslog daemon configuration.
After the audit log events reached QRadar, the rules engine identified the threat based on the rule conditions that were defined and the predefined custom user action was run. The python script was registered as part of the custom user action.
The script makes API calls to CSM to run the predefined Scheduled Task with different actions, as described in “Creating a scheduled task to issue Safeguarded Copy backup in CSM” on page 22.
The brute force login case that is described here represents the threat detection from operating system environments. Similarly, the rsyslog configuration can be extended to send application-specific events to QRadar by using the audit logging from applications (database and http).
These events can be categorized and threat detection rules can be defined based on the security compliance matrix that is defined by the organization.
Summary
The solution that is described in this paper shows the integration of IBM QRadar for early threat detection at IBM DS8000 storage and applications that are running on a host. After a threat is detected, the cyber resiliency workflow is triggered. This workflow is used to run a predefined scheduled task in CSM to perform required actions, including DS8000 Safeguarded Copy to create an immutable copy of the data.
The solution can be used as template to categorize the events that are received from DS8000 storage system and application host. Based on the events that are received, threat detection rules can be defined by confirming security standards that are defined by the organization’s compliance matrix.
The sample Python script shows how to use the API interface of CSM to perform specific tasks.
Appendix A
This section describes the configuration that was created for the rsyslog daemon on the Linux host simulating database workload.
A configuration file that is specific to the application was created in the /etc/rsyslog.d folder with configuration options that are described next.
The following rsyslog version was used for the configuration that is shown in Figure 48:
rsyslog-8.1911.0-7.el8_4.2.ppc64le
|
# Config files to forward events to QRadar
# QRadar host: 9.11.221.149, port: 514, TCP
#/var/log/audit/audit.log
module(load="imfile" PollingInterval="5")
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="AUDIT"
Severity="error"
Facility="local4"
)
input(type="imfile"
File="/var/log/secure"
Tag="AUTH"
Severity="error"
Facility="local4"
)
local4.* action(type="omfwd" target="9.11.221.149" port="514" protocol="tcp")
|
Figure 48 Configuration file
Resources
For more information, see the following resources:
•IBM DS8000 Safeguarded Copy:
• Configuring safeguarded virtual capacity:
•IBM QRadar:
•IBM Copy Services Manager:
•IBM Copy Services Manager User’s Guide:
• Scheduled Tasks in Copy Services Manager:
• Securing Data on Threat Detection by Using IBM Spectrum Scale and IBM QRadar: An Enhanced Cyber Resiliency Solution:
• GitHub link to download the script:
About the Author
Shashank Shingornikar is a Storage Solutions Architect with IBM Systems, ISDL Lab Pune, India, for over 12 years. He has worked extensively with IBM Storage products, such as IBM Spectrum® Virtualize, IBM FlashSystems, and IBM Spectrum Scale building solutions that combine Oracle and Red Hat OpenShift features. Currently, he is working on demonstrating Cyber resilience solutions with IBM QRadar® and IBM Storage Systems. Before joining IBM, Shashank worked in The Netherlands on various high availability, Disaster Recovery, Cluster, and Replication solutions for database technologies, such as Oracle, MSSQL, and MySQL.
Acknowledgments
The author wishes to thank the following IBM’ers for their support on the project:
Julio Cesar Hearnandez
Storage Cyber Resilience
Storage Cyber Resilience
Sandeep Patil
IBM Systems
IBM Systems
Randy Blea
IBM CSM
IBM CSM
Bryan Rinaldi
Kathy Bonato
IBM DS8000
Kathy Bonato
IBM DS8000
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.