Effectively Secure your AWS environments with IBM QRadar
Where do I begin?
Tip# 1: Decide on QRadar deployment strategy – selecting a primary home for QRadar
QRadar offers impressive deployment flexibility which enables customers to choose the ideal model to meet their diverse business and security needs. There are 4 primary deployment models that customers can implement to secure resources across the enterprise, including AWS environments: On Premises, Hybrid, Cloud, SaaS
On Premises
QRadar SIEM deployments on-premises are able to collect event and flow logs from AWS applications and services like AWS CloudTrail, Amazon CloudWatch, and Amazon GuardDuty via REST API. With the QRadar Console and Event Processors located in a customer or partner managed datacenter, this deployment can collect security data without external installs.
HybridQRadar also has the ability to extend its deployment footprint into the cloud enabling customers to install virtual QRadar appliances in AWS or other cloud platforms. The AWS Marketplace provides a single-click install method for QRadar customers to bring their own license and deploy QRadar appliances in AWS.
A common scenario is a customer choosing to deploy a single Managed Host appliance, like an Event Collector, in an AWS region to collect service, application, and infrastructure logs. Those logs are compressed, parsed, and coalesced at the source before transferring the data out of AWS and on premises.
There are many different available options for customers to deploy QRadar appliances both on premises and in the cloud for efficient collection of events and network traffic flows from AWS.
CloudQRadar can be virtually deployed on virtual machines running on IaaS cloud platforms like AWS. Cloud-first businesses are able to run an entire QRadar deployment in the cloud or across multiple clouds in an efficient way to provide security across a diverse enterprise. Customers can choose a primary cloud environment or region to run and manage a QRadar Console and position Processors, Collectors, and Data Nodes around the center. You should choose to deploy a Console in the cloud environment and region where most of your data resides.
SaaS – QRadar on CloudQRadar on Cloud delivers the advanced security analytics capabilities of QRadar as a service, hosted on the IBM Cloud. While a dedicated IBM DevOps team operates and manages the Console and Processors, customers are able to either collect AWS logs via REST API or choose to deploy Data Gateway appliances in AWS to collect from external cloud environments. Data Gateway appliances are a supported QRadar Managed Host that can be deployed in AWS via the QRadar listings on the AWS Marketplace. AWS is one of many cloud platforms that QRadar supports and plans to support in the future.
Tip #2: Construct your virtual private clouds (VPC) in AWS
When designing your VPCs, we suggest that you position your QRadar Data Nodes and Event Processors in same subnet as your Console. The goal here is to reduce the layers between QRadar appliances to decrease latencies and operational complexities in your AWS environment.
Tip #3: Implement Multiple VPCs in AWS
If you choose to create more than one VPC in AWS and deploy multiple QRadar Event Collectors in these subnets, we suggest that you implement VPC Peering as the connection path between the ECs.
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. Inter-region VPC peering connections are supported in AWS (AWS source: What is VPC Peering?)
Bonus Tip: For Managed Security Service Providers in AWS
A great way to connect Managed Security Service providers (MSSPs) operating QRadar to their customers is to use VPC Peering to customer operated virtual private cloud subnets.
Additional AWS Resources
AWS VPC Design
AWS VPC Quick Start – Architecture
How do I leverage AWS Identity and Access Management with QRadar?
It is very important to design and continuously enforce security policies in your cloud environments. AWS IAM is a native service that helps customers to protect cloud users and workloads on the Amazon Web Services platform.
AWS Best Practices
- Restrict use of root account
- Access key rotation
- Multi-Factor Authentication
- Develop a least-privilege access model
- Do not share account credentials or access keys
- Use AWS Managed Policies and/or Security Groups to assign permissions to IAM users
- Frequently review IAM permissions
- Enforce strong password policies for users, roles, and resources
- Use IAM Roles for custom apps running on EC2 Instances
- Remove unused or old IAM users/credentials
- Set IAM Policy conditions to protect critical data
- Monitor user activity to identify anomalous activity
Additional AWS Resources
How to Rotate Access Keys for IAM Users
AWS Multi-Factor Authentication
Granting Least Privilege
AWS IAM Managed Policies
How to enforce strong passwords in AWS
Use Roles for Applications that run on Amazon EC2 Instances
Remove Unnecessary Credentials
AWS IAM JSON Policy Elements: Conditions
How do I use AWS VPC Security Groups to harden my QRadar deployment in AWS?
Creating Security Groups essentially implements virtual firewall rules for instances in AWS, including QRadar hosts. When you launch a VPC, you can create up to 5 security groups for a single instance in a subnet. Customers are able to add rules that control the inbound and outbound traffic to AWS instances limiting access to only those IPs that you designate. Network Access Control Lists can also be created to augment security group policies and further enforce access in your AWS accounts.
IBM Point of View
Be as restrictive as possible!
Do not create open internet connections to QRadar hosts
Only open Port 22 and Port 443 but keep both locked down to only whitelisted IP addresses
Using a VPN - if access from dynamic or unknown IP addresses is required, we recommend the use of a VPN rather than allowing direct access from public addresses
Additional AWS Resources
AWS VPC Security Groups
AWS Network ACLs
Network to Amazon VPC Connectivity Options
Contact
Patrick Routh
Offering Manager - QRadar Cloud Security
prouth@us.ibm.com