Over the last few years I've been pushing a data centric security focus. Traditional security has always been perimeter based and as the perimeter changes with BYOD and Cloud security this approach has been struggling with how to secure that hardened perimeter. I think a large part of that is because inside the network is chaotic and data is fast moving.
However there are real advantages to identifying, classifying and securing data. I see more clients trying to mine internal data for business growth and secure data for competitive advantage. But since this group is QRadar focused I'm going to quickly touch on a couple of tools that can help and how they can improve QRadar's visibility.
Obviously Gardium offers a lot with structured data. Anyone who has QRadar has probably had a couple of sales pitches about the entire IBM portfolio (Ill leave links anyway). But I want to point out, one of the first things we do when setting up QRadar is define a network to identify critical systems. What makes systems critical is the idea they might have sensitive data on them. Yet we hardly ever take it to the next steps to identify the data even though we know insider threat from stolen credentials or unauthorized access is a huge problem.
First line from IBM's Qradar / Gardium page points out a huge advantage in that we can define a two-way integration.
This subtly points out another concern I've seen with SIEMs in general. Businesses need to act on alerts and need help doing so. Acting on alerts is difficult the network, closing ports is to heavy handed, blocking IP addresses is easy to get around. Reacting at the user level, at the data access level is defendable from a security policy and granular enough to be effective. The QRadar and Guardium solution leverages the QRTrigger framework for actions in response to security events, add users to groups and security policies can take setup to effect immediately.
That still leaves a lot of data in unstructured formats. Varonis an tool I've started working with more. It’s a tool for managing unstructured data. It has tools to classify data, monitor access and user behavior on files (again Ill include links). While I don’t have a easy two-way integration Varonis does a QRadar app and watch lists. A watch-list makes it easier to keep an eye on suspicious users and devices and facilitating actions. I'm working on using QRadar to update Varonis watch lists or pulling watch lists into reference sets to inform QRadar rules. Also Varonis has the ability to coalesce active directory lots into security events and forward those to QRadar. This brings up the idea that paired with a QRadar data node I can send AD events to be queried and reported on without subtracting from my event licensing while sending time sensitive events into QRadar's rule engine. Classifying data and finding suspicious users based on activity in the network and on the file system holds tremendous promise.
Please share your experience with these or similar approaches. Im working on a blog schedule and guest speakers for future meetings feed back on in the forums or on posts will go along way to help.
I'd really like to hear what others are doing to get data visibility. I've had it come up several times around ransomware and insider threats. I'm also like to explore low cost and native storage reporting tools so If anyone has thoughts or experience there that would be great.
https://www.varonis.com/
https://www.ibm.com/security/data-security/guardium