IBM Developer

Tutorial

Block malicious data attacks with IBM Security Guardium and IBM Security QRadar

Monitor and remediate suspicious user activity

By

Sudhagar Tiroucamou,

Rahul K.P.

On this page

When you integrate IBM Security Guardium and IBM Security QRadar, you can effectively monitor suspicious user activity in your databases and take appropriate mitigation action by adding those users to the QRadar reference set.

IBM Security Guardium is a family of data security software in the IBM Security portfolio that protects sensitive on-premises and cloud data. The flagship product in this family is Guardium Data Protection (GDP), which helps organizations to discover, protect, and monitor sensitive data elements and activities and help remediate data violations.

IBM Security QRadar Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle. QRadar Security Information and Event Management (SIEM) coupled with AI helps you rapidly investigate and prioritize high-fidelity alerts based on credibility, relevance and severity of the risk.

The combination of Guardium and QRadar enables you to continuously monitor suspicious activity using multiple rules, especially if you have implemented IBM QRadar User Behavior Analytics (UBA). You can assign risk levels to user activities using the QRadar Rule, providing security operation center (SOC) analysts with a comprehensive dashboard view of high-risk users in their environment, and enabling analysts to track individual user activity.

Learning objectives

This tutorial will show you how to use IBM Security Guardium and IBM Security QRadar to identify and mitigate against malicious user activity.

Prerequisites

  • IBM Security Guardium V11.5 collector instance, with an RDBMS system (such as MS-SQL Server) reporting to it through an S-TAP agent
  • IBM Security QRadar SIEM V7.5.0 Update Package 4, with a log source configured for Guardium through TCP

Estimated time

Completing this tutorial should take about 20 minutes.

Use case

IBM Guardium Data Protection provides robust features to monitor database activity. For this tutorial, an MS SQL Server database is configured to be monitored by IBM Guardium Data Protection. The security policy is configured in such a way that the policy violation logs are sent to IBM Security QRadar in Log Event Extended Format (LEEF). In QRadar, a log source is configured to receive the logs from Guardium.

For this tutorial, two different users are created in the MS SQL system with the names normalUser and unauth. The normalUser is presumed to be a user activity performed by an authorized user or application activity and unauth is a user or activity that is unauthorized to performed actions on the identified sensitive data objects.

On receiving the logs, QRadar SIEM will correlate the log events with the defined rules, generating offenses that will promptly alert the SOC analyst. This alert enables them to take immediate action against the user or the source IP, particularly in the case of attacks originating from remote IPs.

Steps

The major steps involved in this configuration are:

  1. Create a TCP remote log-forward configuration in Guardium.
  2. Create a security policy to forward the policy violations in LEEF format.
  3. Enable alerter to poll the logs at regular intervals.
  4. Create a log source for Guardium in QRadar SIEM.
  5. Create rules to identify unauthorized users and activities.
  6. Add the users to a reference set for further monitoring and filtering.
  7. Escalate the offense to a SOAR/ticketing system for remediation.
  8. Create another security policy to block or recertify the user for performing activities on sensitive objects.

Configure IBM Security Guardium

Step 1: Send logs to remote host

  1. You first need to configure Guardium to send logs to a remote host using a TCP log-forward configuration. For details of this step, see Remote loggers in the IBM Security Guardium documentation.

Step 2: Create a security policy

You now need to create a security policy in Guardium to forward the logs to QRadar. You'll create a policy violation log and send it to the log to the remote host in LEEF, which is consumable by QRadar.

  1. From the Guardium GUI, go to Protect > Security Policies > Policy Builder for Data. Security policies menu
  2. Click the "+" symbol to create a Data Security Policy.
  3. In the Create Policy window, enter a name for the policy and set the category as Access. Create Policy window

Step 3: Create the rule criteria for a policy violation

  1. Expand the Rules section to add rules for forwarding the logs. Click on the "+" symbol to create a new rule.
  2. Enter a name for the rule and expand the Rule Criteria to provide the rules. alt
  3. Specify the Database type as MS SQL SERVER and Database user as normalUser (the authorized user). alt
  4. Expand the Rule action to add the action. Click the "+" symbol to add an action.
  5. Enter the following information:
    • For the action, select ALERT PER MATCH.
    • For the template, select LEEF.
    • For the Notification Type, select SYSLOG. alt
  6. Repeat these steps for the UNAUTH user. Use the same rule action, template, and notification type.

Note: You can configure the information to be sent through the message template on the Global Profile page of the Guardium GUI. See the alert message instructions in the Guardium documentation.

Step 4: Deploy and run activity monitoring

When you have created the rules are created, you can deploy the policy.

  1. Go to Protect > Security Policies > Policy Builder for Data and select your new policy. alt
  2. Click Install and select Install and Override. alt

Now the security policy is created and Guardium is monitoring activities.

Step 5: Configure Guardium Alerter

Guardium Alerter must be configured to poll the logs at regular intervals for the data to reach the remote log host. For our tutorial, the remote log host is QRadar.

  1. Go to Setup > Tools and Views > Alerter.
  2. To enable the Alerter, click the Active on Startup checkbox and set the interval to the desired number of seconds.

As a next step to generate the traffic, get into an SQL Editor and connect to the MS SQL Server on two sessions one each with normalUser and the UNAUTH user. Run some select queries on the sensitive tables in both the sessions and see the Logs getting forwarded to the QRadar.

Configure IBM Security QRadar

To configure IBM Security QRadar, complete the following steps.

Step 1: Configure the log source

  1. In the QRadar dashboard, go to Admin > Log sources. alt
  2. Click Create new log source.
  3. Complete the configuration fields as follows (refer to the image to see a sample log source configuration):
    • Log Source Type: Guardium
    • Protocol Type: Syslog
    • Log Source Identifier: Hostname or IP address of your IBM Guardium server alt alt

Step 2: Map an event

You need to complete event mapping for a number of Guardium events. Due to the customizable nature of policy rules, most events (except for default policy events) do not contain a predefined IBM QRadar Identifier (QID) map to categorize security events.

To map your event, complete the following steps.

  1. Log in to QRadar.
  2. Click the Log Activity tab.
  3. Click Add Filter.
  4. From the first list, select Log Source.
  5. From the Log Source Group list, select the log source group or Other. Note: Log sources that are not assigned to a group are categorized as Other.
  6. From the Log Source list, select your IBM Guardium log source.
  7. Click Add Filter. The Log Activity tab is displayed with a filter for your log source.
  8. From the View list, select Last Hour.

Any events that are generated by the IBM Guardium DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in QRadar.

You have now listed the unknown events from the IBM Guardium log source. Next, you will map that event.

  1. In the Event Name column, double-click an unknown event for IBM Guardium. The detailed event information is displayed.
  2. Click Map Event. 3.From the Browse for QID pane, select any of the following search options to narrow the event categories for a QRadar Identifier (QID):
    1. From the High-Level Category list, select a high-level event categorization. (For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the IBM QRadar Administration Guide.)
    2. From the Low-Level Category list, select a low-level event categorization.
    3. From the Log Source Type list, select a log source type. (The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, IBM Guardium provides policy events; you might select another product that captures similar events.)
    4. To search for a QID by name, type a name in the QID/Name field. (The QID/Name field gives the option to filter the full list of QIDs for a specific word; for example, "policy.")
  3. Click Search. A list of QIDs are displayed.
  4. Select the QID you want to associate to your unknown event.
  5. Click OK.

QRadar maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by QRadar. If you update an event with a new QID map, past events that are stored in QRadar are not updated. Only new events are categorized with the new QID.

Sample log received from IBM Guardium

Based on the sample log below that is received from IBM Guardium, we can create a sample rule to detect unauthorized access to sensitive objects in the database. Sample log

Step 3: Create a rule condition and response

The following rule condition monitors the occurrence of the event named "Unauthorized Users on Sensitive Objects – Alert." It has the QID value of 64250101 from the log source Guardium at guardium115.

To create a sample rule, complete the following steps:

  1. Click the Offense tab and in the left menu, click Rules.
  2. Click Actions > New Event Rule, and then click Next.
  3. Select Events and then click Next. QRadar Events
  4. Below the Test Group drop-down list, in search field, type log source.
  5. Click on the + symbol next to the first condition that appears, when the event(s) were detected by one or more of these log sources. The rule is added in the list of rules below. List of QRadar rules
  6. In the rule that was added, click "these log sources" and locate the Guardium log source name.
  7. Click Add and then click Submit.
  8. Repeat these steps to add a QID. Type QID in the search field.
  9. Click the "+"" symbol next to the condition, when the event QID is one of the following QIDs**. alt
  10. In the Apply field below, click QIDs and add the value 64250101. Click Add and then click Submit. QRadar rule wizard
  11. Click Next to define the Rule Action and Rule Response as shown in the following image: Define rule action and rule response

This Rule Response generates an offense whenever an incoming event matches the aforementioned rule condition. In addition, you keep track of the usernames in a separate reference set as part of the response activity. This enables you to monitor suspicious usernames and create additional rules to track any activity associated with the usernames listed in the reference set.

Step 4: Generate an offense

Following is an example of an offense that is generated when the rule condition in the previous step is satisfied.

  1. Click the Offenses tab and in the left menu, click All Offenses. When you open the offense, the events and flows that are directly responsible for generating the offense are displayed (as shown in the next step). QRadar All Offenses window
  2. Click events or flows to display the details of events and flows that contributed to the offense. QRadar offenses details
  3. Review the list of users who will be included in the reference set as part of the Rule Response. alt

Step 5: Updating the reference set and adding a monitoring rule

When the aforementioned rule has been activated, an unauthorized user is added to a reference set that enables you to monitor their actions using another set of rules.

To view the reference set details, click the Admin tab and then click Reference set management. You can then search for a malicious DB user. The image below shows that a user has been added to the reference set. You can also view the rules that are applied to this set. alt

To create a rule to monitor the user in the reference set, complete the following steps:

  1. Click the Offense tab and in the left menu, click Rules.
  2. Click Actions > New Event Rule, and then click Next.
  3. Select Events and then click Next.
  4. Below the search field, type Log Source and add the rule when the event(s) were detected by one or more of these log sources.
  5. Click Log sources and from the list, add Guardium log source. alt
  6. In the search bar, type Refer and then add the rule when any of these event properties are contained in any of these reference set(s).
  7. Click event properties and select username.
  8. Click Add and then click Submit.
  9. Click Reference set(s) and from the list, select Malicious DB User. alt alt
  10. Click Add and then click Submit.
  11. Define the Rule Action and Rule Response as shown in the following image: alt
Preventive action from Guardium

On recognizing a particular behavior by an unauthorized user, and if after investigation the activities are deemed to be intentional, Guardium can recertify the access limits for a user by blocking them from performing activities on the sensitive data tables. This limit can be implemented by creating a security policy with a blocking rule action.

The steps for creating a policy were described previously. The image below shows a sample blocking rule. alt

This policy completes two actions. First, it attaches the user session so that Guardium can complete its analysis. Based on the matching criteria provided in the second rule, the session will be either terminated or let go.

In this example, we compare the object handled by the UNAUTH user SSN object. If it matches, we send a block command so that Guardium terminates the user session and avoids data access and leakage.

Summary

In this tutorial and demonstration, we successfully detected that a user was engaged in unauthorized activity. Both IBM Security Guardium and IBM Security QRadar promptly acted on the suspicious activity, investigated it, and after identifying that it was malicious activity, they added the user to a reference set for continuous monitoring by QRadar and preventive action from Guardium. The user will be blocked from performing activities on the sensitive data objects.

Now that you understand how IBM Security Guardium and IBM Security QRadar can work together to keep your sensitive data safe, you can explore more about these powerful security products:


13 October 2023

Legend