IBM Security Systems

QRadar Open Mic Webcast #7 – January 28, 2015

Let’s talk about assets in QRadar

Panelists
• Dwight Spencer – Principal Solutions Architect & Co-founder of Q1 Labs
• Adam Frank – Principal Solutions Architect
• Brad Morris – Technical Lead for QRadar Assets and Reference Sets
• Chris Collins – Team Lead, QRadar Integration Services and Maintenance
• Michael Jewett – Software developer for Level 3 engineering
• Jonathan Pechta – Support Technical Writer
• Mark Wright – QRadar L2 Support Manager

Reminder: You must dial-in to the phone conference to listen to the

panelists. The web cast does not include audio.
USA: 866-803-2145
Canada: 866-845-8496
Participant passcode: 9348947
Slides and Global dial-in numbers: http://bit.ly/IBMoepnmicQR7doc

NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any
statements that you may make during the call, as well as to IBM's use of such recording in any and all
media, including for video postings on YouTube. If you object, please do not connect to this call.
©
1 2014 IBM Corporation © 2012 IBM Corporation
 IBM Security Systems

Why is asset data important?

The ability to identify and understand how assets are being used in
your network is critical to security.

Not just for detecting devices, but building a dataset of historical

information about assets and being able to track asset information
across your network as it changes.

The goal of asset profiles is to bring all the information known

about the assets in your network and update the data as new
information is provided to QRadar. This allows administrators to
more effectively report on, search, audit, and leverage rules to
identify threats, vulnerabilities, and asset usage with relevant data.

2 © 2014 IBM Corporation

 IBM Security Systems

Sources of asset information

The following sources provide QRadar with asset information:
• Identity events - Common event sources for identity data:
 Operating system events (Windows, Linux, Mac, UNIX)
 DHCP events (routers, switches)
 Identity management systems
 Authentication events (access points)
 Firewalls with VPN services
• Vulnerability scans – either active scans or scan imports add new
assets discovered based on the CIDR ranges defined during the
scan.
• Importing asset information from the Assets tab (IP, Name, Weight,
and description).
• DNS lookups
• Flow data (bi-directional) provides host profile information for IP
address, port information, and applications. Server discovery
leverages this information along with scan data to group servers in
to building blocks that can be leveraged later on in rules.
3 © 2014 IBM Corporation
 IBM Security Systems

Asset reconciliation (how assets are updated)

Assets are assigned a unique identifier, which is leveraged by the system to
determine when an update (merge) is required of new data or if a new asset
needs to be created. The asset profiler uses specific “identity” fields to
perform the reconciliation.

Asset reconciliation uses multiple keys to identify key questions:

“What asset is the owner of this data?”

The asset profiler prioritizes asset identity in the following order when multiple
pieces of information is provided:
1. MAC Address (most deterministic)
2. NetBIOS Hostname
3. DNS Hostname
4. IP Address (least deterministic)

4 © 2014 IBM Corporation

 IBM Security Systems

Asset reconciliation (continued)

Asset reconciliation allows QRadar to provide ongoing relevant asset data
and track history of an asset for more detailed auditing.

A basic example of asset reconciliation:

1. Examine the data for identifiers in the update to the database of

existing assets and find a match.
2. If the update contained a known MAC, NetBIOS, or DNS Hostname,
then update values and populate any new data or new information that
can be provided.
3. If the matching value is an IP Address, a match to an asset is based on
the other information in the update versus what is already known about
the potential IP-matching asset in the database.
4. In the case of no matching data from 2 or 3, a brand new asset is
created to accommodate the information provided in the asset update.

5 © 2014 IBM Corporation

 IBM Security Systems

Assets, merging, and deviant asset growth

This might prompt you to ask: “What happens when data for an update
matches more than one asset? Such as an update containing a NetBIOS
name and a MAC address.”

Answer: In these cases, QRadar evaluates the data between the two
assets and depending on how the asset identifiers are matched, then an
asset merge might occur.

Merging is the process whereby the contents of one asset are absorbed
by another asset under the presumption that they are actually the same
physical asset.

Systems that can cause aggressive merging of asset information are

devices that generate data with matching asset identifiers.

6 © 2014 IBM Corporation

 IBM Security Systems

Assets, merging, and deviant asset growth (continued)

For example,
 Central Syslog servers acting as an event proxy
 Virtual machines (VMs)
 Pre-install or automated installation environments
 Non-unique hostnames (iPhone)
 VPNs with shared MAC addresses
 LSXs where the identity field is ‘OverrideAndAlwaysSend=true’

This can lead to a single asset with a large number of IP addresses, MAC
addresses, or hostnames and trigger a deviant asset growth notification.

Deviant asset growth is a notification generated for users when the number
of updates being generated outpaces the retention cleanup agent. The best
way to avoid these notifications is to:

1. Update the asset profiler retention values

2. Add identity exclusions
3. Manage reference sets for asset blacklists or exclusion rules
7 4. Ensure DSMs are updated © 2014 IBM Corporation
 IBM Security Systems

Admin tab > Asset Profile Configuration

Methods for reducing deviant asset growth from the Asset Profile
Configuration screen.

Adjust the length of retention based on the asset identity data that is
being merged.
For example, if multiple IP addresses are merging under an asset,
change the ‘Asset IP Retention’ from 120 days to a lower value, such as
90 days.

NOTE: Asset retention cleanup never removes the last hostname value
for an asset, even if the data is beyond the retention period.

8 © 2014 IBM Corporation

 IBM Security Systems

Identity exclusion
To combat systems where single assets can be populated with extremely
large numbers of similar asset identifiers (IP addresses, hostnames, MAC
addresses), identity exclusion was added.

Identity exclusion allows users to filter out specific identity events so that
they do not contribute to deviant asset growth.

To enable an identity exclusion:

1. Click the Log Activity tab.
2. Create a search to locate the information to be excluded.

3. Click Search, then save the search criteria.

4. Click the Admin tab > Asset Profiler Configuration > Manage Identity
Exclusion, and add the search to the list.
NOTE: Editing the saved search automatically updated the exclusion list.
9 © 2014 IBM Corporation
 IBM Security Systems

Asset reconciliation exclusion rules

Reconciliation exclusion allow users to define rules that prevent
noisy asset updates from being applied to the asset profile by
automatically updating a reference set blacklist.
The idea being that when a rule is triggered, instead of updating an
asset with suspect data, the asset information can be automatically
added to a reference set blacklist. The update to the asset profile is
not made and the change is discarded.

10 © 2014 IBM Corporation

 IBM Security Systems

Asset reconciliation exclusion (continued)

For example:
Rule Rule Behavior
When at least 3 events are seen with the same
AssetExclusion: Exclude
Identity Host Name and different Identity IP in 2
DNS Name By IP
hour(s), add the hostname (DNS Name) to the
'Asset Reconciliation DNS Blacklist' reference set.
Tuning advice:
1. Review ‘Admin > Reference Set Management’ to see how many elements
have been added to a blacklist.

2. Tune out false positives (too many blacklisted values) by either

increasing the events required or lower the time limit for the rule trigger
(or disable IP based rules). In environments where people are hopping
networks often, it is not unusual to set 10 events in 1 hour.
3. For too few blacklisted values, lower the number of events required to
trigger the rule or increase the time limit.
11 © 2014 IBM Corporation
 IBM Security Systems

Reference sets for asset exclusion

Another option available to administrators is to manually populate a
reference set blacklist or whitelist with data.

If a situation occurs where a single identity value needs to be excluded, then

a whitelist can be easier to add than an identity exclusion.

When the system identifies a blacklist match, it checks the whitelist to see if
the value exists. If yes, the change is reconciled and the asset is updated.

12 © 2014 IBM Corporation

 IBM Security Systems

Did you know?

Did you know that there is a script that can be leveraged to update the
asset model using a CSV file for QRadar?

This update_asset.py script allows customers to update their asset

model using a CSV file. This script could be useful when first
configuring QRadar assets to make updates for IP address, Technical
Owner, Location, or Description information.

This script never creates assets, just updates existing entries in the
asset profile. If an IP exists in the CSV file, but not in the asset profile,
the update asset does not import the data.

The script is available on the GitHub page for IBM Security Intelligence:
https://github.com/ibm-security-intelligence/

13 © 2014 IBM Corporation

 IBM Security Systems

Questions

14 © 2014 IBM Corporation

 IBM Security Systems

Advanced questions: part 1

The first questions addressed by the panelists will be these that were asked in
advance in the QRadar Customer forum.

 Q1. What determines the name of an asset?

Asset names are assigned in the following order: Given name,
followed by NetBIOS name, DNS name, then IP address.
 Q2. When I look at the asset profile, why do I see assets where all
other information is blank?
In these cases, the asset retention has likely expired and removed
data that is older than 120 days.
 Q3: Is there a method for whitelisting IP addresses based on CIDR
or network definition?
No, at this time whitelisting assets is a manual process. Review
why specific IP addresses are being blacklisted in the first place.
15 © 2014 IBM Corporation
 IBM Security Systems

Advanced questions: part 2

 Q4. Can we delete assets and start fresh? What if I want to partially
delete some assets, but keep others?
Yes, there is a script that can be used to clean the entire asset
model, but it is not selective. To clean selectively, users should
leverage searches, then delete from the user interface.
Note: This queues the asset for deletion, but it might take some time for the action
to occur.
 Q5. Is there a way to hard code asset names to IPs that have been
blacklisted?
Yes, add the IP to the whitelist, then edit the asset and provide
name information for the asset.
 Q6: Is there a method for whitelisting IP addresses based on CIDR
or network definition?
No, at this time whitelisting assets is a manual process. Review
16 why specific IP addresses are being blacklisted in the first place. © 2014 IBM Corporation
 IBM Security Systems

Advanced questions: part 3

 Q7. Why when I do an asset export, do I see 0.0.0.0?
In most cases, 0.0.0.0 represents a placeholder for null or N/A fields
that do not contain IP address information.
 Q8. Is there a good method to ensure that I’m not updating assets
related to service accounts / automated services?

Yes, a good way to exclude asset profile updates for service

accounts is to create a search where ‘Identity Username’ + ‘Is Any
Of’ + ‘Anonymous logon’. Make sure this is a real-time search for
the time frame. Save the search and add the search to the Identity
Exclusion list.
(Admin tab > Asset Profile Configuration > Manage Identity
Exclusion > Add your anonymous logon search.)

17 © 2014 IBM Corporation

 IBM Security Systems

Questions for the panel?

Now is your opportunity to ask questions of our
panelists.
To ask a question now:
1. Type your question into the chat window.

2. When prompted by the operator, you can press *1 to ask a question

over the phone.

18 © 2014 IBM Corporation

 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to
IBM Security Systems
improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can
result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no
single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a
comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL
CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only,
and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market
opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other
IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other
company, product, or service names may be trademarks or service marks of others.
19 © 2014 IBM Corporation