Category Archives: Random Thoughts

Clash of the Titans – ArcSight vs QRadar

ArcSight vs QRadar
Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar.
Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market.
We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management.
Okay, Let’s get started!!!
ArcSight vs QRadar
Subject ArcSight QRadar
Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have worked on. In 2011 HP bought them Year 2004-2005, Q1 Labs entered into the SIEM market modifying their NBAD platform (QFLOW) and in 2012, IBM bought them.
Logging Format CEF – Common Event Format LEEF – Log Event Extended Format
Underlying DB Oracle till 2012, then combination of MySQL, PSQL etc. Proprietary based on Ariel Data store and probably Ariel Query Language (AQL)
Vendor Support ArcSight supports more than 400 vendors with their CEF certification program QRadar supports more than 250 vendors with their LEEF certification program
Portfolio Log Correlation – HP ArcSight ESM

Log Management – HP ArcSight Logger

Identity Correlation – HP Identity View

Intelligence Feeds – HPRepSM

Threat Detection – HP ArcSight Threat Detector

Response and Action – HP ArcSight TRM

Log Correlation – IBM QRadar Console

Log Management – IBM QRadar Log Manager

Network Forensics – IBM QRadar NBAD (using QFlow)

Intelligence Feeds – IBM X-Force

Vulnerability Management – IBM QRadar VM (with dedicated Scanner)

Response and Action –  IBM QRadar Incident Forensics for Response only

Identity monitoring ArcSight has a separate feature called IdentityView (separate license) to provide the identity perspective of events occurring in ArcSight. It integrates with Identity solutions (AD, Oracle) to keep track of user activity regardless of the account being used. It assigns risk scores to users based on their activity, and can graphically represent this activity and compare it to others with similar roles. QRadar does not have the capability similar to Identity View, however, it does integrate with Identity solution to provide user information in the offenses created.
Network Behavioral Analysis ArcSight does not natively collect flow data however, it can obtain Netflow data from other devices such as routers, etc. The Netflow data provides visibility only up to layer 4 (no application visibility) QRadar due to its origin as a NBAD product has powerful Network Behavioral Analysis (NBAD) capability through its  QFlow appliance (Network Flows data including Layer 7 flows, Jflow, Netflow, IPFIX, SFlow, and Packeteer’s Flow Data Records can be collected and processed). This would allow us to review application and network flows and assess it for anomalous traffic, persistent threats etc.
Vulnerability Management ArcSight can integrate with Vulnerability scanners and gather Scan reports for correlating vulnerability information with the security events collected.  However, it is more of a data aggregator in the case of VM tools. QRadar has a Vulnerability Management product (QVM). This has all the features comparable to ArcSight, however, IBM has upped the ante in this space by including a Scanner in the product that can actively scan hosts if enabled with QVM license. This provides security analysts to gather real time information if they choose to from the same SIEM console.
Dynamic Risk Management ArcSight does not have any risk management capabilities. However, it can integrate with commercial risk management products to provide basic correlation QRadar has a Risk Manager (QRM) product that collects Network configuration information and provides a risk modeling capability to assist in understanding the extent of impact of a configuration change in the network. This is akin to Skybox, Algosec or RedSeal and perform in similar capacity
Log Collection Agent Less – Using Connector Appliance. Logger Appliance can also serve as Log receiversAgent Based – Software Install on Servers for all types of log collection Agent Less – Any QRadar Appliance, Console, All-in-One Combo boxes, Event Collector etc. can collect Logs remotelyAgent Based – Connector software available for Windows. For others, Agentless is the only option.Flow Collection – By default any appliance can collect flow data, however, dedicated Flow Collectors are an option in QRadar.
Log Management Separate Log Management Software, Appliance which is different from the ESM appliance. They have a Express version which combines both but in general HP Logger fills the space of a dedicated Log Management appliance Same software, same appliance can behave as all in one SIEM + Log Manager or dedicated Log Manager or SIEM depending on License added. There is no distinct product differentiation as in ArcSight family.
Event Transmission Events from the source are sent in clear text to the SmartConnectors, however, all further upstream communication happens encrypted. Compression and Aggregation can also be employed in the ArcSight ecosystem from the connectors onwards. Events from the source are sent in clear text, however, communication between QRadar Appliances happen using encrypted SSH tunnels. However, compression happens on Appliance at event storage level and does not happen in event transit.
Handling EPS bursts ArcSight uses large buffers to cache events in case of an EPS burst. Once the buffer is filled, the Queue starts to fill. Once the queue overflows, events get dropped. But the burst EPS can be sustained for longer periods of time compared to QRadar. In QRadar, Each event type has a memory buffer, once the EPS exceed the licensed level and the buffer is filled, all new events are queued and processed on a best effort basis. However, this burst EPS is not sustainable for longer periods of time as with ArcSight. So even though it can take burst EPS during times of attack, it is not sustainable.
Filtering ArcSight provides the ability to filter or modify events at the collection and logging level to eliminate the events that are not of security value. This can be as close to event source as possible using SmartConnectors QRadar provides capability to filter using Routing rules. However, for field based filtering (where only one field from the log needs to be omitted during parsing) can’t be done in QRadar.
Aggregation Log Aggregation can be done based on any field combination. This is really useful when it comes to toning down on the high volume logs of network firewalls and proxies etc. Log Aggregation or Coalescing in QRadar terminology happens at the event collection layer based on the source IP and user only and not on customizable field combinations
Data obfuscation ArcSight allows for obfuscating any field at the log collection level using SmartConnectors. This is very powerful when monitoring confidential data in logs. QRadar does provide Obfuscation abilities using a custom Regex Based, Key Based Obfuscation config. This will allow for encrypting a field, based on the Regex Match when event is processed.
Custom Log Collection Require development of customized configuration files. However, ArcSight Flex Connector SDK is  a very powerful tool to build custom connectors and parsers. Also, the ArcSight community shares knowledge about custom connectors and hence more help available in case you want to develop on your own. QRadar has two parts of custom log collection capability. For supported logs or generic logs, it can update/develop parsers using the “Extract Custom Property” feature. However, if a new log source is to be integrated, then it is through customized configuration files which is much harder to create, test and maintain. Also, help to develop on your own is scarce so Professional services is mandatory.
Scalability ArcSight is really scalable such that it can support multi-tier Correlation Engines, multi-tier Loggers, Connectors etc. and also have effective peering. QRadar scales very well horizontally at the Log Collection layer, however at the Correlation layer it does not scale as well as ArcSight. This is a challenge in large and distributed environments.
High Availability One of the long standing issues of ArcSight is HA. It does not have a true HA capability. It supports failover routing at the Collection layer but does not have any thing at the correlation layer. QRadar has the most simple to setup HA configuration ever. This allows sync of two Appliances in true HA style.
Multi-Tenancy ArcSight has always been the SIEM product of choice for MSSP vendors. The main reason being the ability of the product to delineate events based on customers so that monitoring can be efficiently  performed in a MSSP environment. It maps IP addresses to customer names and network zones to avoid overlap. QRadar did not have the feature until recently (I think v7.2 and above) and was one of the reasons it had very poor Multi-Tenancy support. However, the new feature with “Domain” based categorization provides ability to support MSSP environments. Maturity is yet to be achieved but it’s a step in the right direction.
Out-of-the-box use cases ArcSight’s out-of-the-box use cases are very light compared to and only include limited Multi-Device/Event correlation use cases. QRadar comes with a comprehensive set of basic out-of-the-box use cases for various threat types  such as malware, recon, dos, authentication and access control, etc. Also, several of these use cases are Multi-Device/Event types.
Customizable dashboards and reports ArcSight reporting system includes over 350 standard report templates that address common compliance and risk requirements. The report design system is similar to what you would find in a BI solution, though not as complex. Support for charts and graphs is available, and templates can be customized through Velocity. Reports can be scheduled and distributed automatically by e-mail. QRadar provides over 2000 report templates relevant to specific roles, devices, compliance regulations and vertical industries. Only basic report customization is available. However, if advanced report customization is required, QRadar reporting seems limited. However, majority of the customers using QRadar are happy with the out-of-the box reports.
Case management ArcSight has a built-in case management system that allows the association of events to cases, limited workflow, and the ability to launch investigation tools (anything that can run from a command-line) directly from the console. Cases can contain analyst notes and customizable fields. QRadar  provides a rudimentary case management capability through its Offense Management. Offense Management provides basic features such as open, close, assign, and add notes. Additional events cannot be added to Offenses. This is in stark contrast to ArcSight which has full blown case management system built in.
User portal ArcSight requires a java client to provide most of its functionality, but also provides a web interface primarily for business users. Provides all functionalities for security event monitoring and threat content development through web based GUI
User licenses Individual console licenses should be purchased for each user to perform investigation/monitoring Additional user licenses are not required to be purchased
Pricing Pricing is based on number of log sources and total log size per day Pricing is based on EPS. Linear incremental cost for scaling the solution is based on tier based EPS licensing.
Updates:
This section is for posting differences based on reader feedback. So readers, feel free to add on.

Pattern Discovery

ArcSight has something called a Threat Detector tool. It basically runs a set of search queries on real time data and provides patterns detected. If interesting monitoring patterns are detected, they can quickly be converted to Use Cases. This is basically useful if you want to create new use cases and you don’t know where to start

QRadar does not have anything similar to Pattern discovery.

Compliance

ArcSight has compliance packages that can be purchased to aid in providing compliance specific alerting, reporting etc. However, these are priced separately.

QRadar has more than 2000 reports grouped based on Compliance requirement which should mostly satisfy compliance needs

I think the list can still be improved based on your feedback.  Please feel free to add them in the  comments section below and the feedback will be incorporated.
Until next time – Ciao!!!

Cloud Computing & Security – 101

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources like networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction”.

Source: The NIST Definition of Cloud Computing, Version 15, 10-7-09, National Institute of Standards and Technology, Information Technology Laboratory

Cloud computing is the new mantra in most of the organizations but is Cloud computing new? Personally, I believe it has been there ever since Internet email has been available. Yahoo, Hotmail, AOL etc. in their heydays were a basic cloud computing model. However, the evolution of cloud computing has taken root only in the last few years what with storage becoming cheaper and Internet access exploding globally. Now they are able to support  Enterprise applications and business processes out of the cloud environment.

The lure of cloud computing and the benefits it brings is illustrated in the graphic below.

Cloud Computing

 Security Risks in Cloud Computing:

As with any new shift in computing methods, even Cloud computing has it’s share of risks. Some of the key risks of Cloud Computing are listed down below:

Risks Implications
Geography Given various countries and various regulatory authorities, controls for supporting appropriate cross border data views and use must be maintained
Defining ownership, custodianship, processing & use rights and obligations Clearly establish rights and obligations associated with data assets. Often rights and obligations are dependent on the physical location of the data owner, custodian and user. Designing and implementing effective controls to support appropriate rights and obligations may be complex
Multi-tenancy In a multi-tenant cloud environment,users may access shared resources, possibly gaining unauthorized access to other tenants. This may have less risk in a private cloud, but more risk in a public cloud
Security If one of the cloud servers get compromised, will it lead to compromise of the other servers in the shared infrastructure? Public cloud may have an increased attack surface compared to the private cloud, however, any compromise .
Data Loss On transient systems, a cloud vendor provider instance failure may lead to permanent loss of system information including system configuration and data stored locally. The concept of a “disposable” server also adds to the risk of loss of data and system information.

 

Tackling the Security Risks:

Based on the risks listed above, the various controls that can be considered in tackling them are listed below:

Privacy and data protection
  • Establishing Data ownership across organizational data
  • Managing access rights based on data classification
  • Implementing data storage and retention policies at the cloud vendor
Security incident response
  • Managing incident investigations in a virtualized environment
  • Limiting incident spill over to multiple cloud tenants
  • Handling complicated troubleshooting due to continuous
    environment changes or elasticity
Access control
  • Access controls for cloud management interfaces
  • Access controls for segregation of duties
  • Due diligence prior to assignment of access privileges
Vulnerability management
  • Managing virtualization induced vulnerabilities
  • Ensuring timely security patches
  • Adequate vulnerability testing of cloud components
Data Leakage or Loss
  • Ensuring adequate controls on transit systems to prevent data leakage
  • Adequate change control to migrate data when instance change happens
  • Security tools to detect & prevent such threats
Virtualization
  • Proper security controls over virtual servers and applications could stop multiple security incidents across the organization
  • Secure virtual storage could act as excellent risk control for reducing impact of storage compromises and data theft

 

Conclusion:

Cloud computing is here to stay and it is important that we understand the security risks and some potential controls that can be implemented when moving to cloud. This post is a primer to what Cloud computing is and what are the various security challenges presented by it.  Let me know your thoughts on this

SIEM Product Comparison – 101

SIEM Product Comparison – 101 

Please refer to the SIEM Comparison 2016 for the latest comparison.

We at Infosecnirvana.com have done several posts on SIEM. After the Dummies Guide on SIEM, we are following it up with a SIEM Product Comparison – 101 deck. So, here it is for your viewing pleasure. Let me know what you think by posting your comments below. The key products compared here are based on Gartner Magic Q which is what Organizations typically use to select SIEM vendors. The Vendors mentioned here in the deck are :

1. HP ArcSight

2. McAfee Nitro

3. IBM QRadar

4. Splunk SIEM

5. RSA Security Analytic

6. LogRhythm.

If you need any other Vendor evaluation on the parameters mentioned in the deck, please do let us know and we can post them for your use.