IBM QRadar

Hi, management at one of our Event Collector locations has decided to install Microsoft Defender ATP on all machines. I know IBM generally says not to install any third party software, but management is intent on using Defender ATP as a security measure office-wide. Any advice on this would be appreciated.

------------------------------
Amir Perlson
------------------------------

Hi Amir,

Having some form of watchdog process is no bad thing.

At the same time, installing applications or running untested processes, can affect both the real-time performance and also void support or other warranty.

If I was asked, I'd not recommend going down this path. I'd suggest that that the management requestor may not fully understand the implications of "run this everywhere" approach.

It needs a bit of thought as treating everything the same when environment and architecture of the end points are not the same has pitfalls. Would this be done on a mainframe or a proprietary telephony system for example? 

Do check with your IBM support contact on warranty. Worst case is that it has to be uninstalled for each ticket raised for any defect. Judging by the docs on Microsoft.com, that will probably need a reboot each time, which would of course lead to event loss while that happens.

Instead, put other security controls in place. E.g. the EC/s into a secure zone or DMZ, use well understood Linux/OS integrity checking applications like AIDE to monitor for tampering and have a tripwire-like or similar.

Above all, I'd recommend explaining what is being asked for and the implications - it feels like the requestor may not have a complete understanding of the implications of the policy.

Good luck!

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Tue January 19, 2021 03:44 AM
From: Amir Perlson
Subject: Installing Microsoft Defender ATP on QRadar EC

Hi, management at one of our Event Collector locations has decided to install Microsoft Defender ATP on all machines. I know IBM generally says not to install any third party software, but management is intent on using Defender ATP as a security measure office-wide. Any advice on this would be appreciated.

------------------------------
Amir Perlson
------------------------------

Hi Darren, thanks for taking the time to reply and the info. Definitely makes sense. I would though still be interested to hear if anyone has any experience with this kind of situation, and if they've experienced any issues.

------------------------------
Amir Perlson
------------------------------

Original Message:
Sent: Tue January 19, 2021 04:13 AM
From: Darren H.
Subject: Installing Microsoft Defender ATP on QRadar EC

Hi Amir,

Having some form of watchdog process is no bad thing.

At the same time, installing applications or running untested processes, can affect both the real-time performance and also void support or other warranty.

If I was asked, I'd not recommend going down this path. I'd suggest that that the management requestor may not fully understand the implications of "run this everywhere" approach.

It needs a bit of thought as treating everything the same when environment and architecture of the end points are not the same has pitfalls. Would this be done on a mainframe or a proprietary telephony system for example? 

Do check with your IBM support contact on warranty. Worst case is that it has to be uninstalled for each ticket raised for any defect. Judging by the docs on Microsoft.com, that will probably need a reboot each time, which would of course lead to event loss while that happens.

Instead, put other security controls in place. E.g. the EC/s into a secure zone or DMZ, use well understood Linux/OS integrity checking applications like AIDE to monitor for tampering and have a tripwire-like or similar.

Above all, I'd recommend explaining what is being asked for and the implications - it feels like the requestor may not have a complete understanding of the implications of the policy.

Good luck!

------------------------------
Darren H.

Original Message:
Sent: Tue January 19, 2021 03:44 AM
From: Amir Perlson
Subject: Installing Microsoft Defender ATP on QRadar EC

Hi, management at one of our Event Collector locations has decided to install Microsoft Defender ATP on all machines. I know IBM generally says not to install any third party software, but management is intent on using Defender ATP as a security measure office-wide. Any advice on this would be appreciated.

------------------------------
Amir Perlson
------------------------------

I would not put ATP on the QRadar hosts.  Even auditd with a stock configuration can put tons of load on QR.  If they are concerned about the security of QR itself, then STIG the installation.  DISA STIG is supported on QRadar and used by many federal and state .gov installations.

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Tue January 19, 2021 03:44 AM
From: Amir Perlson
Subject: Installing Microsoft Defender ATP on QRadar EC

Hi, management at one of our Event Collector locations has decided to install Microsoft Defender ATP on all machines. I know IBM generally says not to install any third party software, but management is intent on using Defender ATP as a security measure office-wide. Any advice on this would be appreciated.

------------------------------
Amir Perlson
------------------------------

Frank is right that STIG can be considered. We've got a lot of experience with using it on event collectors, but there are some things to be aware of:

1. STIG is not actively supported after 7.3.2 - particularly if you have an custom scripting or third party PS developments. 
2. If you have a problem, IBM support may ask that you remove STIG first.
3. STIG install is not scripted, nor scripted for removal.

If instead you look at integrity checking, AIDE is mentioned as a way to achieve integrity checking (also used), but it also is not supported in the same way above and triggers every time you do a deploy.

Spread your technical controls is what I would suggest ... or just do an inverse Nike and "just don't do it".

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Wed January 20, 2021 06:42 AM
From: Frank Eargle
Subject: Installing Microsoft Defender ATP on QRadar EC

I would not put ATP on the QRadar hosts.  Even auditd with a stock configuration can put tons of load on QR.  If they are concerned about the security of QR itself, then STIG the installation.  DISA STIG is supported on QRadar and used by many federal and state .gov installations.

------------------------------
Frank Eargle

Original Message:
Sent: Tue January 19, 2021 03:44 AM
From: Amir Perlson
Subject: Installing Microsoft Defender ATP on QRadar EC

Hi, management at one of our Event Collector locations has decided to install Microsoft Defender ATP on all machines. I know IBM generally says not to install any third party software, but management is intent on using Defender ATP as a security measure office-wide. Any advice on this would be appreciated.

------------------------------
Amir Perlson
------------------------------