IBM Security QRadar

 View Only

10 Tips and Tricks for Securing a Remote Work Force Using QRadar

By Wendy Willner posted Tue April 21, 2020 04:42 PM

  

QRadar.jpg
Written by Wendy Willner and Sean Duval.

There has been a vast increase in the number of remote workers. This increase in remote workers has led to an increase in user compromises, both from user error and malicious users. These changes in both the threat landscape and network topology can impact QRadar deployments. Below are tips and tricks to make sure your organization is successful in this changing environment.

  1. Log Sources: As the work force has become more remote, the following log sources have become of increased importance for security visibility. Prioritize the ingestion and tuning of the following Log Sources
    • Firewalls, VPN & Proxy:
    • Endpoint Detection Response:
    • Email/Spam Filtering Logs:
    • DNS & DHCP Logs
    • Third Party Clouds
    • Cloud Services
    • Cloud Platforms
  2. Collect Flow Data. Network Flow traffic doesn't lie. Attackers can stop logging and erase their tracks but can't cut off the network traffic. Flows are more important than ever because they show the size and duration of transactions while they are still on-going. The information provided from flows about the network is not available simply from collecting logs from point-products.
  3. Update and define IP Addresses in VPN range within the Network Hierarchy. The Network Hierarchy is how QRadar determines if users are in safe locations or are being impersonated. Keeping the Network Hierarchy up to date will minimize false positives.
  4. Search for remote to local traffic to search for data exfiltration. Maintain visibility into unusual patterns of data movement.
  5. Download content packs from X-Force Exchange. The content packs will include predefined searches, rules, reference sets, and reports
  6. Integrate with 3rd Party Threat Feeds. As the threat vectors are constantly changing due t current events, leverage as many threat feeds as relevant.
  7. Update to the current version of UBA. Within the most recent version of UBA (v.3.5) the machine learning models are updated hourly. It's important to have UBA leverage the most up to date models.
  8. Refine your UBA rule logic and response limiters. Response limiters are the thresholds that UBA uses to define when to trigger a rule and open an offense. Set the limiter to a lower level of incidence to ensure that UBA offenses are generated at a manageable level.
  9. Update UBA Reference Sets: Update UBA Reference Sets.  QRadar uses reference sets to store data in a simple list format. Populate the reference set with external data, such as indicators of compromise (IOCs), or you can use it to store critical organization data, such as IP addresses and user names, this data is collected from events and flows that occur on the organizations network. A reference set contains unique values that you can use in searches, filters, rule test conditions, and rule responses. For example, create a rule that detects when an employee accesses the organization network from a geographic location that is prohibited. Configure the rule response to add the employee's IP address or user name to a reference set and notify the SOC team.
  10. Ensure the that proper User Models are turned on within UBA. Important models to consider are Access Activity, Authentication Activity, Data Downloaded, Data uploaded to remote networks and Outbound Transfer Attempts.


Let us know what you think or what other suggestions you might have!

 

 



#QRadar
0 comments
27 views

Permalink