Install IBM QRadar Community Edition 7.3.3 in ten minutes

After a long wait, the free version of IBM QRadar SIEM is finally available. This edition, called “Community” contains all the features of QRadar SIEM and requires little memory (works with just 8 or 10GB) compared to the at least 24G required for a minimum commercial version environment. It also includes a license that does not expire and allows you to install all kinds of plugins and applications. The objective is its private use for learning, demos, testing and fundamentally, development of applications compatible with QRadar. That’s why its capabilities are limited to managing up to 50 events (logs) per second and 5,000 network packets per minute, which isn’t bad :)

Keep in mind that one of the main drawbacks that does not bring support for all devices and environments of the commercial version. If we want to monitor a database, or a firewall, we will need to install each of the modules manually

What are the hardware requirements?

  • Memory: 8GB RAM or 10GB if apps are installed, i.e. a modern laptop can run.
  • Disk: 250 GB although our experience tells us that with about 30G is enough for ephemeral environments. Space is being used as SIEM is kept in use. If virtual machines are created and destroyed for short tests, it doesn’t take that long.
  • CPU: 2 cores, but 4 or 6 would be even better.
  • Network: Internet access, a private network, and FQDN hostname.

How do I install it?

IBM provides for this version an image in downloadable OVA format from this link. We no longer have to launch the installer on a CentOS system created by us and with the usual small bugs to correct, which is appreciated. Just have to create an IBM account, something that can be done on the spot and for free. The OVA image can be deployed to VMWare, KVM, or VirtualBox.

The installation process is quick and simple as shown in the following video:

After which, you can start exploring and working by following the clues available in the“Getting started guide”

Once the environment is up and running, you can install applications

And even monitor the network of our house: phones, laptops, home automation systems, etc.

Want to know more about IBM QRadar SIEM?

We offer professional services (consultation, deployment and support),official and private training. We also prepare official certifications. Contact us without obligation.

 

What’s new in Red Hat OpenShift Platform 4.3

Last January, Red Hat announced the general availability of Red Hat OpenShift 4.3. As you all know OpenShift is the most popular and used distribution of Kubernetes worldwide. While OpenShift has many powerful features for DevOps environments, security concerns are one of the main concerns for users and customers. When we offer our training courses in OpenShift we joke that the rule in this “world” is features first, security later (if it arrives). That’s why this new release primarily focuses on improving in this area, but also includes improvements in storage and the user interface.

Security

OpenShift 4.3 offers for the first time FIPS (Federal Information Processing Standard) encryption and additional security enhancements for businesses across industries to help protect sensitive customer data with stronger encryption controls. It also seeks to improve access control monitoring through new features that have to do with role-based access and user and application authorization control in general.

On the other hand, you can install the module (kubernetes operator)“Quay Container Security”that allows to know the vulnerabilities of our PODs

openshift 4 quay image security integration

 

Storage

This release also coincides with the overall availability of Red Hat OpenShift Container Storage 4,which provides greater portability, simplicity, and scale for data-centric Kubernetes workloads. Red Hat OpenShift Container Storage 4, which is designed to deliver multi-cloud storage through gateway technologies across providers (Amazon, Google, Azure). This is made possible by NooBaa’s Software Defined Storage (SDS) solution, a company recently acquired by Red Hat. In this way, customers can deploy their services across multiple public clouds, while operating from a unified dashboard that covers not only applications but also storage.

User interface

The topology view is an interface designed for developers, allowing them to not only understand the structure of their applications, but modify their configuration and even connectivity with other services directly from the console as seen in the next image. Topology view has been greatly improved, showing real-time changes.

And allowing functions such as modifying connectivity between applications and services, as well as removing them.

 

Supplanting users

Imagine you’re a cluster administrator where there are thousands of users. As soon as you get to your job, you’ll most likely get a ticket where a developer complains about has console issues or some of the features of Red Hat OpenShift. Well, since version 4.3, it is possible to impersonate users, or what is the same thing to pass us as the user that we want. Using your roles and specific configuration we can perform typical troubleshooting tasks much faster and easier.

Other improvements

Thanks to the Tektonproject, in OpenShift version 4.3, users can activate the“pipelines”of any application. Once associated, they will appear in the topology view along with their real-time logs. Support for KNative,server-less kubernetes technology, is also included for the first time and as a technology preview.

Want to know more?

In Sixe Engineering we have been working with OpenShift since 2013 (version 2.0) We offer professional services and private training. Contact us and tell us what you need.

 

 

 

What’s new in IBM QRadar SIEM version 7.3.3 (about 7.4)

The latest version of IBM QRadar SIEM, The V 7.3.3 is the pre-release release of the expected 7.4 by the end of the first quarter of 2020. It includes improvements in performance, analyst workflow, product security, and essentially user experience. The upgrade is simple, through an IBM-provided script that from the console updates the deployment set.

Here are some elements, which in our opinion make it interesting to update to this version while the long-term 7.4 is released in the coming months.

Support for key and value pairs in the DSM editor.

Until now, when creating a log source manually, we needed to use regular expressions to extract each of the fields. Starting with version 7.3.3 it is possible to use simple delimiters for key – value attributes. This goes a step further than the improvement in event processing in QRadar 7.3.2 CEF and LEEF format, which allowed for the first time to automatically detect new properties. In addition, users with permissions can register that “custom properties” directly from the DSM editor, saving time and facilitating the whole process. Finally, an option has been implemented to export configurations from new log sources from the same editor.

Flow improvements (flows)

This release detects vxLAN information that is present in packets that are sent to QFlow (via Azure vTap, Technocrat
or monitoring card, or NIC) is extracted and added to the QRadar flow logs.

What’s new in Network Insights

Network Insights has improved the module that inspects RDP connections by detecting the type of encryption used and added a module to detect rsh, rexec, and rlogin connections. Another interesting improvement is that from now on all protocols: NFS , POP, SSL, TSL, HTTP, SSH, RDP, etc are detected accompanied by their version, as shown in this table.

What awaits us in version 7.4?

The release of the QRadar 7.4 is planned for the first quarter of 2020 and will include major improvements. This release will be based on Red Hat Enterprise Linux 7.7. It is expected to support Python 3.X and, as a curiosity, it is not clear that it is compatible in Internet Explorer browsers. It is important to note that this is a major update, with changes to the base version of the operating system. This involves additional tasks and additional precautions.

If you serve multiple customers from your SOC and use QRadar, you are in luck. There are plenty of hope that we’ll finally see significant improvements to the graphical interface along with a larger update to the Application Framework that provides full multi-tenancy support. However, the applications will have to be updated to be fully compatible. It is known that the UBA development team is already working on an update that, using these functions, allows to segment user behavior data by customer and domain.

In fact, it will be the companies that provide virtual or remote SOC services in multi-client environments that will benefit the most from the new features of version 7.4. In another post we will talk more about this and how to integrate QRadar into semi-automated incident response environments through different SOAR solutions like Resilient IRP. The future of SOCs will be to continue integrating tools and automating processes,as has been done for years in distributed environments with the implementation of DevOps & SysOpsmethodologies.

If you want to know more about this solution, at Sixe we offer training, consulting and technical support services for IBM QRadar SIEM. We also sell and deploy, migrate and integrate QRadar for all types of environments and customers. Contact us if you need our help :)

End of IBM Power6/7 support. Shall we migrate?

If you have AIX, IBM i, or Linux systems running on IBM Power Systems, this article may be of interest to you. IBM has finalized hardware support on POWER6 machines (released in 2007) at the end of the first quarter of 2019, after more than 12 years. The same will happen with POWER7 at the end of the third quarter of 2019. Details about the servers affected by the service outage are in the following announcement.

How does it affect me?

Many customers have Power 6 and Power 7 systems running. All of them in general, in perfect condition because it is well known in any data center that a Power system is so well designed and built that some replacement of discs or power supplies by means, it is not uncommon that they reach 10 or 15 years of life. Over the years, it’s not uncommon to find customers who discover after several years that part of their infrastructure was running on a Power server they didn’t even know existed :)

Going back to these cases, it is important to plan a transition to the new POWER8 and POWER9 systems in order not only to have a support from the manufacturer but also to save a lot of money. It’s not complicated to migrate to 10 Power6 systems to an environment with 2 Power9 in DR, thanks to PowerVM virtualization and the proper use of LPARs. This applies to systems with IBM i, AIX, and Linux.

Other challenges to face in these months are the upgrade of the VIO servers, operating system, HMC and firmware of the servers, in many cases as a step prior to the migration to modern systems.

What options do I have?

At Sixe Ingeniería we know that many companies are not sure what steps to take to ensure a smooth transition and that, fundamentally, does not involve significant risks or interruptions of service. Costs are also a fairly widespread concern. That’s why we’ve developed several options for customers affected by these end-of-life deadlines. We offer infrastructure services and solutions focused on IBM i, AIX, and Linux. We have a fairly comprehensive portfolio of solutions and services to help you through the process including designing the new architecture, acquiring the HW, eliminating or consolidating unnecessary licenses, installing hardware and systems configuration, migration of environments, performance tuning and post-project support.

We continue to recommend keeping critical environments on Power, using the operating system that best suits the workloads you run. No other hardware provides you with half half the years of continued support and can not offer 99.96 availability.

Contact us for more information

Certified QRadar Analyst SIEM 7.3.2 C0003502 training

Which IBM QRadar SIEM certification shall I choose?

QRadar SIEM is a comprehensive network security management platform that provides policy compliance support and context by combining knowledge of network flows, correlation of security events, and assessment of vulnerabilities in connected systems. In QRadar there are three certifications oriented to different roles within the product and that have been updated in July 2019.

IBM Certified Associate Administrator IBM QRadar SIEM V7.3.2

Scan “IBM Security QRadar SIEM V7.3.2 Fundamental Administration”. Test C1000-026

This is an entry-level certification for system administrators responsible for maintaining QRadar platforms. The ability to provide basic support as well as ibm Security QRadar SIEM V7.3.2 technical knowledge is evaluated. This includes the implementation and management of the solution set. Administrators should also be familiar with the capabilities of the product. The ability to plan, install, configure, deploy, migrate, update, monitor, and resolve simple issues is measured.

IBM Certified Associate Analyst IBM QRadar SIEM V7.3.2

Upgrade IBM QRadar SIEM V7.3.2 Fundamental Analysis. Test C1000-018

This entry-level certification is intended for security analysts who want to validate their knowledge in IBM Security QRadar SIEM V7.3.2. Analysts will need to master the basics of networking, security and SIEM and QRadar. The ability to use the product correctly (already installed and configured) is evaluated, including the use of the graphical environment for rule management, security incidents, reporting, and correlations of events and network flows.

IBM Certified Deployment Professional – IBM QRadar SIEM V7.3.2

Test IBM QRadar SIEM V7.3.2 Deployment. Test C1000-018

This is without a doubt the most complex certification of the three. Primarily aimed at security architects, technical pre-sales and staff who perform QRadar professional services for the various IBM Business Partners. These individuals will be responsible for planning, installing, configuring, optimizing performance, tuning, troubleshooting, and managing IBM QRadar SIEM in version 7.3.2. The ability to complete any task with little or no help with documentation, colleagues or support from the manufacturer is evaluated.

Which one to choose?

Our recommendation is to start with the administrator or analyst exam, depending on your role. We have several courses, seminars and intensive workshops that will help you prepare them. If you do not know anything about the product, we recommend you perform the official training of analyst and administrator that we also teach.

IMPORTANT Until September if you use the HUCSECURE code you will get a 50 discount when you register for the exam.

 

Critical Vulnerability in Siemens STEP 7 TIA Portal

What happened?

A critical vulnerability has been found in Siemens STEP 7 TIAPortal, one of the most widely used design and automation programs for industrial control systems (ICS) worldwide. Users are urged to confirm that their systems have been upgraded to the latest version.

The critical vulnerability has been discovered by Tenable Research and would allow an attacker to take administrative action.

What’s the attack vector?

Jumping the authentication mechanism on the TIA Manager server through the node.js server web sockets

What is the impact on the business?

An attacker could compromise a TIA Portal system and use its access to add malicious code to adjacent industrial control systems. Attackers could also use the access gained through exploiting this vulnerability to steal sensitive data in existing OT configurations to continue progressing and plan attacks targeting critical infrastructure.

In the worst case, a vulnerable TIA Portal system can be used as a springboard in an attack that causes catastrophic damage to the OT team, disrupts critical operations, or conducts cyber espionage campaigns.

What’s the solution?

Siemens has released an update and security notice for this vulnerability.

Should I be worried?

Modern industrial operations often encompass complex IT and OT infrastructures, with new security challenges for critical environments, while making cybersecurity threats even more difficult to detect, investigate, and remedy.

Solutions?

OT/ICS/SCADA monitoring and management services have become easier thanks to our solution based on a QRadar SIEM and Indegy ICS.