How to monitor Hybrid-Cloud?
Estimated reading time: 5 minutes
Infrastructures are changing drastically. They exist on premise and in the [multi-]cloud at the same time. Monitoring your infrastructure means adapting your monitoring to different architectures, partially controlled environment, etc.
We know it, the monitoring of physical assets is a real challenge, because having an exhaustive inventory is the first problem administrators are facing, especially with Bring Your Own Device, wild servers or routers, etc. Virtual devices are easier to list as they are all located at the same place, but identifying their role, their legitimacy, the users accessing them, and controlling their deployment becomes a new challenge.
The IBM Security QRadar Hybrid Cloud Security Content Extension is meant to help you deal with these moving infrastructures and understand how they’re being managed.
In this blog we are going to answer the following “How can I” questions with some scenarios included in the content pack.
How can I:
- Fight VM sprawl?
- Monitor my virtualized security devices?
- Monitor suspicious privilege escalations?
- Monitor suspicious policy management?
Scenarios Highlight
How can I fight VM sprawl?
Building a new machine has become a really easy task with virtualization - two clicks and it’s done. Whether it comes from your administrators, or from an attacker, the creation of an abnormal number of machines can cost a lot and become a security concern.
The IBM Security QRadar Hybrid Cloud Security Content Extension includes two ways to detect when the situation is going out of control.
The Virtualization – Machine Creation Report generates a daily overview of the number of machines that have been created over the last 24 hours. It also reports on the number of machines that have been created per user, allowing to catch if a user has created more machines than they should, or if a new user appears in the list.
The Suspicious Number of Virtual Machines Created Rule is meant to alert in case a user is creating a lot of machines in a short period of time, which could reveal an attacker trying to combine computing capacity to execute their activity.
Apply Suspicious Number of Virtual Machines Created on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Virtualization, BB:DeviceDefinition: Cloud
and when an event matches any of the following BB:CategoryDefinition: Virtual Machine Created
and when at least 200 events are seen with the same Username and different Machine ID (custom) in 30 minutes |
Prerequisite: Adapt the threshold to what is acceptable for your company.
How can I monitor my virtualized security devices?
Powering off a machine is not abnormal. Powering off multiple machines that appear to be IDS, SIEM components, firewalls, or the antivirus console, is more concerning.
How far could an attacker go if they had access to the hypervisor and turns off the devices that are responsible of the security of your infrastructure?
The Multiple Virtual Security Devices Powered Off within Short Period of Time Rule ensures you to get alerted if a problem occurs with these devices
Apply Multiple Virtual Security Devices Powered Off within Short Period of Time on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Cloud, BB:DeviceDefinition: Virtualization
and when an event matches any of the following BB:CategoryDefinition: Virtual Machine Stopped
and when any of Machine ID (custom) are contained in any of Security Devices - AlphaNumeric (Ignore Case)
and when at least 3 events are seen with the same Event Name, Username and different Machine ID (custom) in 45 minutes |
Prerequisite: Add the Machine ID (name/ID depending on your environment) of your security devices to the Security Devices Reference Set.
After 3 machines are being powered down by the same user, an offense will be created, no matter if it happens on AWS, Azure or VMware, the rule will trigger.
How can I monitor suspicious privilege escalations?
Let’s be realistic, attackers are not going to notify when they manage to create a new role and escalate their privileges, so creating a list of users or roles we want to monitor would be worthless.
The solution proposed by IBM Security QRadar Hybrid Cloud Security Content Extension is to establish a list of roles that are considered low risk, and feed automatically a reference set with the list of users that are not assigned one of these roles.
The Low Privilege Role Names Reference Set has been prepopulated with default Azure and VMware low privilege roles (read rights).
The User Changed to High Privilege Role and User Changed to Low Privilege Role Rules are meant to manage that list of users.
Apply User Changed to High Privilege Role on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Cloud
and when an event matches any of the following BB:CategoryDefinition: User Role Assign Events
and NOT when any of Role Name (custom) are contained in any of Low Privilege Role Names - AlphaNumeric (Ignore Case)
and when the event matches ((LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Platform','Microsoft Azure Security Center','Microsoft Azure Active Directory')) AND "Object ID" is null) OR ("Rule Name"='BB:DeviceDefinition: Cloud' AND (LOGSOURCETYPENAME(devicetype) NOT IN ('Microsoft Azure Platform','Microsoft Azure Security Center','Microsoft Azure Active Directory'))) AQL filter query |
Prerequisite: Populate the Low Privilege Role Names Reference Set with the list of low risk profiles.
The rule User Changed to High Privilege Role is adding the username associated to the high risk role to the Users with High Privilege Role Names Reference Set as a response.
Include the Users with High Privilege Role Names Reference Set when you configure rules in which you want to monitor user actions that could have a great impact on your environment.
The High Privilege User Performing Suspicious Actions Rule includes that Reference Set as a filter and is used to increase the magnitude of offenses when another rule from the content pack is triggered by a superuser.
How can I monitor suspicious policy management?
In AWS, a legitimate administrator would certainly have permissions to manage policies, such as "iam:SetDefaultPolicyVersion" or "iam:CreatePolicyVersion", which is also the kind of rights an attacker would be looking for.
And what if the administrator account is the target of credential exfiltration?
It is almost impossible to tell if the action is legitimate or not with just that one log reporting a policy change.
The question then is “How can I ensure the monitoring of my policies and reduce the false positives generation without using a list of usernames?”
To answer this question, the IBM Security QRadar Hybrid Cloud Security Content Extension proposes to implement correlation between various administrative tasks and suspicious activity executed by the same user.
The creation of a policy in AWS would be detected by the BB:BehaviorDefinition: Default Policy Creation (AWS) Building Block.
Apply BB:BehaviorDefinition: Default Policy Creation (AWS) on events which are detected by the Local system
and when the event(s) were detected by one or more of Amazon AWS CloudTrail
and when the event category for the event is one of the following Authentication.Policy Change
and when the event matches Audit Flags (custom) matches any of expressions (?i)true |
An attacker could gain permissions by reverting the policy version to one that is granting more rights. The change of a policy version would be detected by the BB:BehaviorDefinition: Default Policy Version Modification (AWS) Building Block.
Apply BB:BehaviorDefinition: Default Policy Version Modification (AWS) on events which are detected by the Local system
and when the event(s) were detected by one or more of Amazon AWS CloudTrail
and when the event QID is one of the following (88750943) Set Default Policy Version |
As mentioned earlier, there is no real way to tell if the action is legitimate or not, even from a legitimate username.
The Suspicious Activity Followed by Virtualization Administration Task Rule takes care of the correlation between events to alert when a username is having a suspicious behaviour and frees the QRadar administrator from having to maintain a list of false positive usernames.
Apply Suspicious Activity Followed by Virtualization Administration Task on events which are detected by the Local system
and when BB:BehaviorDefinition: Regular Virtualization Administration match at least 1 times in 10 minutes after any of BB:BehaviorDefinition: Suspicious Virtualization Activities match with the same Username |
Other Use Cases
The IBM Security QRadar Hybrid Cloud Security Content Extension also includes more content such as:
- Credential exfiltration
- MFA bypass
- Suspicious volume management
- Monitoring of Sensitive Virtual Machines status and management.
- Reporting on Office 365 eDiscovery functionality
With its 37 rules, the IBM Security QRadar Hybrid Cloud Security Content Extension offers a good base monitoring and tools allowing customers to extend detection capabilities easily.
Refer to the documentation for the exhaustive list of content included.
This pack can also be superseded with the IBM QRadar Data Exfiltration Content Extension, the IBM QRadar Content Extension for Amazon AWS or the IBM QRadar Content Extension for Azure as an example.
The content pack includes a Pulse dashboard, which can help to have a global overview of your environment.
QRadar configuration
Install the DSM
Download and install the DSM relevant to your environment via Auto-Updates or Fix Central. The Content pack has been optimized to work with AWS, Azure, Office 365 and VMware environment, but can be adapted to any hypervisor.
Install the Content Extensions
Rules
The IBM Security QRadar Hybrid Cloud Security Content Extension is available on the App Exchange.
Properties
The pack contains Custom property definition placeholders. This means that you can copy the Custom Properties provided and adapt them to your environment by adding expressions under that definition. You can also download our sets of Custom Properties.
Let's take the example of the Multiple Security Device Powered Off in a Short period of time Rule.
Apply Multiple Virtual Security Devices Powered Off within Short Period of Time on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Cloud, BB:DeviceDefinition: Virtualization
and when an event matches any of the following BB:CategoryDefinition: Virtual Machine Stopped
and when any of Machine ID (custom) are contained in any of Security Devices - AlphaNumeric (Ignore Case)
and when at least 3 events are seen with the same Event Name, Username and different Machine ID (custom) in 45 minutes |
This rule would work the same way for any log source type (including custom types) included in the Cloud or Virtualization building blocks, as long as QRadar parses the Machine ID Custom Property and the Power Off event is classified as either Audit.Virtual Machine Stop Attempt or Audit.Virtual Machine Stop Success.
Custom Property placeholders are meant to be reused to adapt the content to any environment.
Custom Event Properties UI:
DSM Editor:
Monitoring a moving infrastructure might seem like a huge, difficult mountain to climb, but we're here to provide you with ways to make it easier. As with every other content pack that we publish, we invite you to take it as a base, and adapt it to your environment.
Once again, we build content for you. Let us know if you have any suggestions for new use cases.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
#Highlights-home
#Highlights