Posts Tagged ‘Windows’
Do you ever feel like you’re playing the role of Goldilocks at work? You know the scenario – you’re trying to solve a problem and every solution feels too hot or too cold, too big or too small. You can’t get administrative privileges to implement it, it requires an agent and you can’t install one, the firewall blocks it, or it’s just too expensive.
Windows event collection for SIEM and log management fits right into this category. Windows is pervasive in IT environments, but collecting Windows events can pose challenges for any product that doesn’t run on Windows.
Fortunately, Q1 Labs has been addressing this for years, and with the release of QRadar 7.1, we are offering customers more flexibility than ever to use a wide range of collection API’s, agents, third party tools and QRadar capabilities – seamlessly integrated and centrally controlled.
Because QRadar is deployed by thousands of customers running diverse IT environments, we’re constantly innovating in Windows event collection, to provide choices that meet your needs. As part of QRadar 7.1, we are pleased to introduce WinCollect, an additional, versatile and scalable QRadar capability for Windows event collection. WinCollect joins existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches (Snare, Adiscon EventReporter, syslog-ng), and native Windows Server capabilities (WMI and Windows event forwarding). With this release, QRadar offers the broadest Windows event collection techniques of any security intelligence product. Most importantly, regardless of which ones you use, the event information looks the same and triggers rules in exactly the same way, for seamless integration and consistent operation.
With more options, QRadar can better meet the needs of different areas of your environment – even if you want to combine collection mechanisms, and even when your requirements change over time.
QRadar now offers the following approaches to meet a variety of customer needs:
- Adaptive Log Exporter (ALE), a no-charge element of the QRadar platform, provides an excellent means to collect Windows events at any level of volume, when an agent can be installed on the target system. An agentless implementation is also popular using ALE on one Windows instance to collect events from other servers.
- Third-party agents such as Snare, Adiscon EventReporter and syslog-ng provide similar capabilities, and are often used by QRadar customers when those agents have previously been installed.
- Windows Management Instrumentation (WMI) is a Microsoft-created, agentless approach to event collection using Windows’ built-in interface to query event logs. This is often used by customers who have relatively unimpeded access to WMI on their Windows servers. WMI-based event collection can be administered through the QRadar user interface.
WinCollect provides a new, superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect offers two highly scalable approaches:
- Using the Windows Event Log API, it can pull events from target systems and then forward them to QRadar.
- Using Windows event forwarding, it will allow target systems to automatically push events to it and then forward them to QRadar.
WinCollect administration is fully integrated into the QRadar user interface, enabling centralized and granular control of Windows event collection across a large estate of Windows servers. Even better, it can be used in combination with any of the other event collection mechanisms – for “mix and match” flexibility.
We understand Windows servers comprise a key component of our clients’ infrastructures and we’re designing QRadar to be the most flexible solution in the marketplace. When it comes to enterprise technology, it’s rare for one size to fit all, the porridge to be just right, and the bed to be comfy too.
We recently held a webcast with SANS, featuring a major Q1 Labs customer who is a well-known luxury brand in the retail space. They have been relying on the QRadar Security Intelligence Platform to help them tackle compliance regulations, gain visibility into network devices and system logs, display packet level detail, and provide powerful reporting capabilities.
Let’s rewind a bit and discover why they need a SIEM.
PCI compliance is a driving factor since they are a publicly traded company and host payment information. Beyond that, and the reason why they need a SIEM, is the diversity and size of their network. Their infrastructure is comprised of multiple flavors of UNIX (including HPUX and IBM AIX), Red Hat Linux, and Windows servers; with network devices from Cisco, Checkpoint (firewalls), Solarwinds, and Airwave.
With over 500 stores, a corporate network, and a retail network, they faced a challenge of continuously monitoring for threats and suspicious activities. It was clear to them that simply reviewing logs on a periodic basis was not enough. They needed a SIEM solution to help uncover anomalies on their network in real time.
Of course, you don’t have to wait for each of these series to be released – watch the full webcast now. In the next part of the series, we will see why selecting a SIEM vendor is not an easy process.
Horizontally, organizations are challenged with many of the same IT security issues and concerns; yet vertically, there are security challenges that are specific to their market.
And so it goes in the higher education market, who view their set of IT security challenges from a unique perspective. Typically they struggle to add the resources that larger, commercial organizations have to solve their IT challenges. Additionally, higher education must be compliant to regulations and provide a secure infrastructure in an open environment, a unique and daunting challenge.
Recently, we presented a webinar to help articulate to the market how our QRadar Security Intelligence solutions can help solve the IT security and compliance challenges that higher education institutions face.
Webinar presenters included Patricia Patria, the Chief Information Security Administrator with Bentley University, and Doug Atkinson, Security Engineer with Liberty University. Patricia spoke to some of the broader topics on the minds of IT security folks, while Doug presented a case study that illustrated in depth how Liberty University was able to effectively gain more visibility into their security operations.
Patricia outlined the following “Top Five” issues that colleges and universities struggle with relative to protecting business assets:
• Distributed environments
• Many users with multiple levels of access
• Meeting compliance standards regularly
• Shift from protecting systems to protecting data
• Understanding threat vectors and educating users on those threats
Doug illustrated what Liberty’s requirements were in the selection process of QRadar, which started with the need to detect offenses in-process or that have already happened, including IT incidents and security incidents. They also required the ability to analyze system usage and performance, forensic analysis to aid investigations, as well as comprehensive auditing capabilities for regulatory compliance and the need to improve overall business processes.
Liberty’s checklist for performance requirements was as follows:
• Require minimal modification of current logs to make them suitable for centralized collection
• Collect log data from heterogeneous systems to preserve original logs, prevent tampering and protect/encrypt data over the network
• Minimize traffic load on the network
• Normalize log data to exploitable format
• Provide secure storage
• Provide log analysis tools for search, analysis and reporting
• Provide incident correlation to alert and respond appropriately
In selecting QRadar, Liberty University highly valued QRadar’s unique capabilities in Network Behavior Anomaly Detection (NBAD), and log search and correlation capabilities. They leveraged the collection capabilities in Windows Adaptive Log Exporter (ALE) which included all of the sources they needed to collect. And lastly, they felt QRadar’s user interface was intuitive and capable, as well as Q1 Labs’ support and sales professionals.
We are very fortunate to have high-profile customers across a variety of vertical markets and industries that are eager to speak about the benefits of QRadar, as well as our exceptional sales and support. Q1 Labs is dedicated to helping our higher education customers solve their complex IT and security challenges , and to providing Total Security Intelligence to help them quickly make business-critical decisions.
To watch the webinar, click here for a replay.