Global Security Forum

Expand all | Collapse all

Ask Me Anything for #CyberSecurityAwarenessMonth

  Thread closed by the administrator. It is viewable, but not accepting new replies.

Dimple AhluwaliaSat October 26, 2019 01:57 PM

  • 1.  Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 15, 2019 09:17 AM
    Edited by Jennifer Tullman-Botzer Wed October 23, 2019 05:21 AM
    No replies, thread closed.

    Good morning IBM Security Community! In honor of Cyber Security Awareness Month in both the United States and Europe, the IBM Security Community is pleased to bring you an exclusive "Ask Me Anything" webinar on October 29th.

    This special session will feature 4 leading experts from different areas of the IBM business:

    • Dimple Ahluwalia, BISO and Vice President of Services Solution Design, IBM Security
    • Chris Barrett, VP, Development, SOAR and IBM Security Cloud, IBM Security
    • Jose Bravo, Security Architect, IBM Global Markets
    • JC Vega, Executive Security Advisor and Cyber Range Coach, IBM Security


    Register now for the Oct. 29th live session, then post your questions for our panelists below in this thread. Please be sure to note which panelist(s) your question is for!

    The content of this webinar will be based around your questions; however, we expect to cover a wide breadth of topics and therefore may not get into too much technical detail. Please ask whatever you want, and if we don't have time to do a deep dive on your topic, we'll be sure to follow up with you after the event concludes. We can't wait to hear all of your fantastic questions, and we look forward to learning what really makes the IBM Security Community tick!





    ------------------------------
    Jennifer Tullman-Botzer
    Digital Strategist
    IBM
    Tel Aviv
    ------------------------------


  • 2.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Wed October 16, 2019 04:18 PM
    No replies, thread closed.
    I believe this question is for Chris Barrett:  Does IBM have any plans to support the full set of Category-1 DoD/DISA STIGs in zSecure Compliance Framework and if so, when might that be available?

    ------------------------------
    Raymond Davey
    ------------------------------



  • 3.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Fri October 18, 2019 06:50 AM
    No replies, thread closed.
    Thank you, for your question. Keep them coming.

    ------------------------------
    Wendy Batten
    Community Manager
    IBM Security
    Cambridge MA
    ------------------------------



  • 4.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Thu October 17, 2019 08:48 AM
    No replies, thread closed.

    Do you have any plan to  make QRadar as a service available to mid and small organization?

    How can I use watson for any product development/idea implementation ?



    ------------------------------
    Fahima Khan
    ------------------------------



  • 5.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 21, 2019 05:28 AM
    No replies, thread closed.
    Hello, my question is for Jose Bravo.
    Will the Master Console remain available for future versions of QRadar. If not, what is planned as a replacement?

    ------------------------------
    Famara Attout Bodian
    ------------------------------



  • 6.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 22, 2019 05:54 AM
    No replies, thread closed.
    IBM is taking part of CSAW, competitions, like https://www.research.ibm.com/haifa/Workshops/CSAW19/index.shtml
    Question to JC Vega: Do we want to build cyber games based on IBM security products? Like challenges that can be solved with QRadar community edition etc.

    ------------------------------
    ODED MARGALIT
    ------------------------------



  • 7.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 22, 2019 04:31 PM
    No replies, thread closed.
    Big thanks to all who've posted questions so far! 

    Please keep the questions coming, and don't forget to register for the live AMA session on Oct. 29.



    ------------------------------
    Jennifer Tullman-Botzer
    Digital Strategist
    IBM
    Tel Aviv
    ------------------------------



  • 8.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Thu October 24, 2019 09:50 AM
    No replies, thread closed.
    hello,
    Is there any stratigy to lunch some lab dimo for Qradar and Resilient on the cloud training,? 
    thanks

    ------------------------------
    [Larbi] [Belmiloud]
    [Cyber Security]
    [Intervalle Technologies]
    [Algers] [Algeria]
    [+213551193200]
    ------------------------------



  • 9.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Sat October 26, 2019 01:57 PM
    No replies, thread closed.
    A question posted on LinkedIn

    I've a seemingly simple question. How do IBM plan on solving the problem with the fresher hiring paradox. Especially in the case of recruitment into infosec. As you may know, when recent graduates apply for a role in infosec, most of the time they get asked for experience, usually it minimum 1 year. And since most companies do this, its not possible to get experience as well. I know this might sound stupid but this is what I'm facing every single time. Reports say there is a shortage of infosec professionals and yet companies are not willing to willing to give a chance to freshers and train them if they have a spark for it. So how would you like to solve it?



    ------------------------------
    Dimple Ahluwalia
    IBM
    ------------------------------



  • 10.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Sun October 27, 2019 07:38 AM
    No replies, thread closed.
    Hi All,
    My questions are for Chris Barrett, I am having couple of questions about resilient road map, and couple of techinicals questions as well.

    • Firstly about the road map:-


    1. Why IBM does not provide technical courses and certification tracks for resilient?
    2. Will resilient publish a community edition version?
    3. When basic features like Outbound email will be available OOTB?
    4. For best practices of incident handling of the most known incident type, why resilient does not provide OOTB integration usecases associated with the OOTB playbooks, e.g for the phishing, why Email header analysis, Attachment analysis, and other must have features are not part of the playbook integrated action by default?


    • Now, couple of technical Questions:-

    1. for the LDAP authentication, having LDAP authentication enabled, by default I can see the entire LDAP tree,  how can I see only the group that I need to authenticate with?
    2. why it is not possible to assign task for group, only user?
    3. why we cannot automate the basic administrating tasks, like reporting, backup, ...etc, and how we can achieve this in the current state?
    4. what is the best practice to escalate incident between different teams to get some help or review of info, or validation, with the ownership and view segregation applied?
    5. what is the best practice to automate assignment of incident while working in 24*7 SOC?
    6. what is the best practice to calculate KPIs, and reflect it in dashboards?
    7. for the OEC the config app parameters (user names, mails, passwords,...etc), are in clear text, why we cannot save it in variables, like the app.config that uses res-keyring?
    8. why there is no documentation for building integration server on windows environment?
    9. what are the recommended distribution of linux for integration servers?


    ------------------------------
    ahmed abushanab
    ------------------------------



  • 11.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 28, 2019 05:24 AM
    No replies, thread closed.
    @ahmed abushanab, thank you for all of your great questions! We will be sure to include your roadmap-related questions during tomorrow's AMA webinar, and we'll also try to ask some of your more technical questions. However, in order to ensure you get the best and most detailed answers possible, I recommend that you post your technical questions on the Resilient discussion forum.

    Thanks again!


    ------------------------------
    Jennifer Tullman-Botzer
    Digital Strategist
    IBM
    Tel Aviv
    ------------------------------



  • 12.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 28, 2019 11:24 AM
    Edited by Sanjay Sutar Mon October 28, 2019 11:26 AM
    No replies, thread closed.
    Not sure who can answer this,

    1. How does the roadmap looks for IBM ISIM product in future? Is there plan to replace ISIM with IGI? If yes, what would be migration path and tools available for this (especially complex policies and workflow in ISIM to equivalent IGI entities)?

    ------------------------------
    Sanjay Sutar
    ------------------------------



  • 13.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 28, 2019 11:17 AM
    Edited by Roberto Ivars Mon October 28, 2019 11:18 AM
    No replies, thread closed.

    Hello, my questions are for Jose Bravo,

    I have a couple of technical questions about Qradar:

    - Is there any way to receive Ironport ESA logs in real time? , I mean, it's possible via LogFile Protocol to retreive the logs every 15 minutes, but...does exists any possibility to do this in real time? (the option 'syslog' from appliance to QR is not possible). In the DSM Guide appears to use the LogFile, but we've the problem of the 15 minutes delay.

    - I'm trying to find documentation to integrate a SaaS via API, but I've same problem...how can I receive this in real time? any recommedantion?

    Thanks for the help!!



    ------------------------------
    Roberto Ivars
    ------------------------------



  • 14.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 28, 2019 11:29 AM
    No replies, thread closed.
    Hi , 

    I am trying to update the value of LDAP attributes secPwdFailures and secPwdLastFailed by using the UserLookupHelper class from info map through ISAM AAC. I always got this error "HPDAA0258E Modification to attribute secPwdFailures is not permitted.". I am having the same working through EAI Java code on the same environment. Can you help me know what is wrong? The code which I am using is below:

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    importPackage(Packages.com.ibm.security.access.scimclient);
    importPackage(com.ibm.security.access.httpclient);
    importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
    importClass(Packages.com.ibm.security.access.user.User);


    var username= context.get(Scope.REQUEST, "urn:ibm:security:asf:request:parameter", "username");

    function secPwdFailures(cibUser){
               var hlpr =new UserLookupHelper();
               hlpr.init(true);
           var user = hlpr.getUser(cibUser);
               var output=user.replaceAttribute("secPwdFailures","2");
               var error=user.getErrMessage()
           IDMappingExtUtils.traceString("Error Message  is  "+error);
           macros.put("@ERROR_MESSAGE@",error)
    ;
           return output;
     }

              secPwdFailures(username);
                      success.setValue(false);

    ------------------------------
    Hossam Shebl
    ------------------------------


    ------------------------------
    Hossam Shebl
    ------------------------------



  • 15.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon November 04, 2019 04:23 AM
    No replies, thread closed.
    @Hossam Shebl

    Thanks very much for your question. The following answer comes from technical offering manager Adam Case:

    The error message is accurate. The attributes are read only, attached is documentation for these attributes.
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_7.0.0/com.ibm.isam.doc_70/ameb_adminjava_guide/concept/con_attr.html



    The only way to update these attributes is through an LDAP call which you can likely write a custom API wrapper around an LDAP call.


    ------------------------------
    Jennifer Tullman-Botzer
    Digital Strategist
    IBM
    Tel Aviv
    ------------------------------



  • 16.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 28, 2019 11:50 AM
    No replies, thread closed.
    Hi all,

    I believe this question is for Jose Bravo. Is there currently any way within QRadar to hash the logs coming into the QRadar event processors and console? We have a compliance requirement, namely the possiblity of checking whether logs have been tampered with on the way from the log source or Wincollect server to the QRadar instance.

    VinneshR.

    ------------------------------
    Vinnesh Rajaram
    ------------------------------



  • 17.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon October 28, 2019 12:21 PM
    No replies, thread closed.
    Hi,
    I have two questions :

    1- I have a question regarding an compliance issue of one of our client, he told us that he is required to keep all events (of all log sources) in origin format (RAW logs) and he asked us if that is possible in Qradar since the last one perform the coalicing which caused the lost of all payloads of the coaliced events. We tried to resolved this situation but the only solution will be to disable the coalicing for all log sources, can we change the default properties for coelescing : QID,Source IP, Destination IP, Destination port, Username ?
    2- I have another question related to the Superflow,we had an issue with the same client regarding the Super flow type B (DDOS), our client has 13000 Internet user and they all connected to Internet through the entreprise proxy, so when the client display the network activity tab he can see just a few records reflecting the communications between all the 13000 users and the proxy and when he display the details of these records he can find up to 2000 source IP addresses ( the last line of source IP addresses contains this phrase "Other") which means that we are loosing a lot of informations about IP sources, we checked that situation with the client closely and we noticed that the issue is reel and we are realy loosing a lot of informations about IP sources. We tried to resolve this situation by increasing the default parameters but the maximum possible were 10000, so we found that the only solution here is to disable the Superflow as we did with the event coalicing, the problem is this had a huge impact on our licence. have you a solution for me regarding this problem?

    Best Regards

    ------------------------------
    Oussama BENYAHIA
    ------------------------------



  • 18.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 29, 2019 12:19 AM
    No replies, thread closed.
    Hello,
    Can you tell me which is the best way to forward McAfee ePolicy Orchestrator to QRadar? Syslog as recommended by McAfee or DSM as proposed by IDM?

    ------------------------------
    Nam Tran Quoc
    ------------------------------



  • 19.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 29, 2019 12:24 AM
    No replies, thread closed.
    Hi,
    My question is,
    Why is the MaaS360 Apps catalog not working in IPv6?

    ------------------------------
    mohanraj muthusamy
    ------------------------------



  • 20.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Mon November 04, 2019 01:11 PM
    No replies, thread closed.
    Hi, @mohanraj muthusamy. I shared your question with the MaaS360 support team and they need more information in order to help you. Please open a support ticket at ibm.com/mysupport and we'll get you the answers you're looking for.

    Thank you!




    ------------------------------
    Jennifer Tullman-Botzer
    Digital Strategist
    IBM
    Tel Aviv
    ------------------------------



  • 21.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 29, 2019 12:40 AM
    No replies, thread closed.

    Hi,
    I hope I'm not too late. I was waiting for my colleagues to give me their questions, but I guess my email got lost in their mailboxes.

    So, I have two small questions for Jose about Qradar.

    First, is it possible to ask the developers to leave our host names "as is" when we cluster nodes in HA. Automatically renaming them by adding primary and secondary to their names doesn't respect our naming convention, and it messes up our ticketing system that tries do find the new-name in the cmdb, and messes up the whole process.

    Secondly, concerning the appliances, do you have any plans moving on with the new AMD EPYC cpu which are way more performant than the Xeon used right now. We've bought some QNI servers, and we're a little disappointed of their performances. We're using 50% of their capacity (on paper), and the load is sky high, and we're having other issues with them. Therefore, resizing the appliances would be a great idea.

    Oh, I almost forgot. Here's a third question. Is there any plans to integrate AWS kinesis firehose with Qradar? With our AWS infrastructure growing, using the api to collect this rising quantity of logs will be soon impossible. The big plus with firehose is that it's scalable. It streams events to Qradar instead of letting him fetch the logs every x minutes from the API. The real strength of Qradar it's his realtime analysis capabilities, so we want to take advantage of this by using AWS firehose to stream logs to Qradar. Is this something in the roadmap already?

    Thanks!



    ------------------------------
    Anthony Gayadeen, Videotron Ltd
    Montreal QC
    ------------------------------



  • 22.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 29, 2019 03:29 AM
    No replies, thread closed.

    Hi,

    --Any roadmap for Q-Radar community edition 7.3.2 ?
    --Using the latest QNI for collecting and parsing flows, I ended up with a lot of false positives.
    SSH : Even some clear text syslog Flows on port 514 ended up marked as SSH. Technical support confirmed this as a bug but told us that such a bug will not be fixed soon.
    Telnet : For your information, Telnet is not a layer 7 protocol. Telnet is a client tool that handshakes a TCP session and let client and server exchange whatever they want on top of it. I use Telnet as a mail client, a web client and more. QNI identifies LDAP over port 389 as Telnet, as well as basically anything. How do you try to identify what does not exist so we can work around without disabling everything ?
    --I re-installed my Q-Radar CE 7.3.1 yesterday and it managed to overload its licence from nothing but its own internal noise (Health metrics, informations, etc.) before I even add any flow or event source. Is there anyway to slow down the monitoring or any other noise source to ease the load on the system ? (FYI, at the moment, I was installing a lot of apps, content pack, extension, etc. More than 20 total. I received a SAR alert about license)
    --When populating assets, is there a way to extract services / open ports from events logs ? So far, I managed to get them only from flows or VA scanners. To do it from events would greatly improve the quality of the information associated with assets.
    --As of now, Q-Radar does not know much about anything open source. A community based DMS for pfSense has been produced but nothing official and itself is limited (nothing about IPSec, system logs, ...). IPTables is not recognized either. Apache's format is not recognized if the process name http is absent, so HAProxy's log are not recognized even when formatted the same way as Apache. OpenVPN, FreeNAS, Postfix, Dovecot, unbound and many more are common and used in enterprise, yet have no DSM ready for them. Any plan to increase support for Open Source projects' logs format ?

    Thanks for the information and congrats for your great product.

    A happy professional and personal user of Q-Radar,



    ------------------------------
    Jacques Bourdeau
    ------------------------------



  • 23.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 29, 2019 06:24 AM
    No replies, thread closed.
    Hi.
    Jose, what was your path of becoming IBM Security Architect?
    Do you have plans  for moving DataPower to IBM Security division?
    Is Identity and Access Management one of the top directions inside  IBM Security Systems and you plan their further development?
    Do you plan to extend IBM Security Systems business in Russia and open vacancies for experienced people in IBM Security division who is familiar with IBM Security Systems solutions, not only internships?

    ------------------------------
    Igor Volkov
    ------------------------------



  • 24.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Tue October 29, 2019 08:37 AM
    Edited by Martin Schmitt Tue October 29, 2019 08:38 AM
    No replies, thread closed.
    Hello, 
    I have 2 questions:

    Is there a possibility to receive a list of events on the day they are created? A customer wants to have the list of events that happen from 00:00 am -10:00 am at 10:00 and then at 03:00 pm the list of events from the same day that came into QRadar from 10:00 am- 03:00 pm. I was not able to config it as an report because i found only the option to use date from the past day. 

    We are doing scans with QVM. When we do the scan with a /24 Network the asset name does not get updated. When we do a scan with the same scan policy but with the host address /32 in the range previously used, the asset name gets updated. What could be the reason fort this?

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 25.  RE: Ask Me Anything for #CyberSecurityAwarenessMonth

    Posted Thu October 31, 2019 08:05 AM
    No replies, thread closed.
    Thank you to everyone who posted questions for our first ever IBM Security 'Ask Me Anything' Webinar! We answered as many questions as possible during the live session, and we are in the process of getting the remaining questions answered for you as well.

    If your questions is answered publicly on the Community, you'll receive a notification. Otherwise, we'll contact you individually with the information you're looking for.

    Thanks again, and be sure to check out the webinar recording if you missed it earlier this week.


    ------------------------------
    Jennifer Tullman-Botzer
    Digital Strategist
    IBM
    Tel Aviv
    ------------------------------