Posts Tagged ‘netflow’
If you missed our February 22nd webinar with Dark Reading, or attended live but still have questions, this is for you. Of course, you can watch the whole event in its entirety here. During the event, we covered a fair amount of ground, talking through some of the larger attacks of 2011 while noting the varied attack types and motivations that powered them.
Questions started flying when we began talking about security intelligence use cases and strategies to prevent being hacked. We touched on the following use case topics: network activity, application detection and forensic evidence, data leakage, insider fraud, user behavior monitoring, and advanced persistent threats (APT). Not only was network activity flow the common thread between all of these topics, but also in the questions we received. Since these questions were common amongst all of our attendees, we thought we would share some of the questions and answers with you.
QUESTION: Does network flow capability come with your SIEM? Or is it a separate add-on?
ANSWER: The ability to process flow records from standard formats such as NetFlow, JFlow, and SFlow are supported by default. If you would like to go deeper than the layer4 information of these flow technologies and go to layer 7 with content capture, then QRadar’s QFlow technology provides this functionality. This feature can be built into an appliance or for larger deployments as an optional add-on.
QUESTION: I already monitor NetFlow traffic. How is what you do with flows different?
ANSWER: NetFlow provides useful information such as source and destination IP, source and destination ports, and packet and byte count. QRadar QFlow’s deep packet inspection provides the ability to identify traffic up layer 7 (application layer) and also provides content capture capabilities. This means QRadar can identify applications regardless of port (many applications use dynamically allocated ports or tunnel over port 80). For example, QFlow can detect social applications like Facebook, Myspace, and Twitter; in addition to port-independent applications like VoIP and BitTorrent. QRadar QFlow can also detect traffic over non-standard ports (i.e. SSH over port 5000). QRadar QFlow also provides content capture capabilities. That is, when a flow is session is captured the header information and a user-specifiable amount of content after that is captured. For example, we can detect the file transferred across the network (i.e. customerinfo.doc, creditcard.xls).
QUESTION: Are there some sources that you can’t pull data from in a network? Do we have to manually add in some?
ANSWER: QRadar has the best auto-identification of log sources in the industry and can normalize most major devices automatically. If it creates logs, then QRadar can accept or collect logs from that device. If QRadar does not recognize the device logs a straightforward built-in mechanism within QRadar can be used to create custom parsers.
QUESTION: Do you have any pre-built templates and rules for meeting compliance regulations? Or is scripting required?
ANSWER: QRadar has pre-built compliance templates and reports. Scripting is not required.
If you’re interested in learning more about the value of flows and how to get more out of SIEM, you can watch our on-demand webcast “Getting More out of SIEM: How to Use Flows To Better Detect Threats and Simplify SIEM”. This webcast shows a live demo and talks more about the value of correlating flows.
Have more questions? Need further explanation? Feel free to email us at firstname.lastname@example.org or just post them below.
Welcome to the final part of our “customer use perspective” series, where one of our biggest retail customers talks about using network flow data to add a whole new dimension to their security posture. When we talk about network flow, it’s not limited to the typical formats – i.e. NetFlow, J-Flow and sFlow. While standard network flow is useful for establishing a general understanding of network conversations, it doesn’t provide deep visibility into network activity beyond basic network characteristics such as IP address and protocol transport.
To help fill this gap, there is QRadar QFlow, which provides Layer 7 visibility (application layer) and stateful classification of applications and protocols such as voice over IP (VoIP), social media, ERP, database, and thousands of other protocols and applications. While this information is powerful on its own, it becomes extremely useful when correlated with network and security events as part of a SIEM and Log Management solution.
Watch the clip to hear how our customer is using QRadar QFlow in their environment:
What can you do with QRadar QFlow?
- Detect zero-day threats through traffic profiling
- Comply with policy and regulatory mandates via deep analysis of application data and protocols
- Monitor social media traffic
- Advanced incident analysis via correlation of flow and event data
- Continuous profiling of assets
Learn more about QRadar QFlow and be sure to listen to the full webcast to hear more about how our customer is utilizing the QRadar Security Intelligence Platform to help meet compliance regulations, centralize logs, correlate network events, and detect anomalies that other solutions might miss.
Over the past two weeks, we have been covering the use case of a Q1 Labs’ customer in the retail space with a series of blog posts dissecting their experience with QRadar so far. Now that we have a better idea why using a security intelligence solution is important and how to make choosing a SIEM vendor relatively painless, lets hear from our customer on why they chose Q1 Labs’ QRadar over other vendor solutions.
For starters, here are a few:
- Ease of use and simple customization – Different parties (network team, dba, etc) were able to use QRadar with a very short learning curve: a one hour training session was more than enough. With the ability to easily customize views for each group, the unique needs of each group can be met easily with report and dashboard customization.
- Events Per Second (EPS) and scaling – Our customer needed a solution that can scale EPS based on their varying needs. As they monitor larger portions of their infrastructure with QRadar, they expect correlation to perform efficiently no matter the size of the data volume.
- Unique approach to log aggregation and event management – The combination of traditional log events and flow data give our customer a comprehensive view of their environment, enhancing their ability to detect anomalies and other suspicious activity when compared to competing solutions.
In next week’s post, we will hear about their experience setting up and deploying QRadar. But why wait for that if you can watch the whole webcast now?
In an article on infosecurity.com this week, there’s news that as of Oct 1, 2012 Visa is waiving the requirement for US merchants to annually validate their compliance with the PCI Data Security Standard (PCI DSS) – *if* 75% of the merchant’s Visa transactions come from chip-enabled terminals that support both contact and contactless chips.
Part of Visa’s plan to accelerate migration to the new chip technology is to eliminate the need to annually validate PCI compliance, which I think is a bit short sighted. Here’s some of the “small print” from Visa:
Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.
Ok that’s great, but who is enforcing this? In most cases, validation drives compliance, which drives security (or at least budgets). So what will happen when validation goes out the window? While achieving PCI compliance isn’t necessarily the “end-all” solution to security problems, it certainly pushes merchants in the right direction and adds structure to an already hectic environment (considering the frequency of card breaches popping up in the news). According to the 2011 Verizon Breach Report, 89% of organizations that suffered breaches were not validated PCI compliant.
With PCI compliance validation all but off the table, we have to trust that other security measures won’t fall short. How do merchants “ensure” (as Visa states) that they are not storing track data, security codes, PINs and so on? As Gartner’s John Pescatore recently pointed out, “There is a big difference between compliance and security.”
Even though Visa may not be requiring audits for qualifying merchants, it is important to consider the larger security picture beyond just collecting logs. Retailers and other third-party vendors have a responsibility to keep consumer data secure, and to do so, they need a fully featured security intelligence solution to correlate log data, network flows, asset configurations, device & network vulnerabilities, and (internal / external) threat data into one consolidated view, with a goal of exceeding PCI control objectives. Not just to meet Visa’s requirements, but to uphold their duty to protect consumer information. After all, it’s good for business.