IBM Security QRadar SIEM and BlueCat DNS/DHCP Server
Introducing new functionality for IBM Security Intelligence Platform: Integration with BlueCat DNS/DHCP Server (formerly Adonis) enhances device and network security.
BlueCat DNS/DHCP Serverdelivers highly reliable, resilient and secure core network servicesto ensure always-on application access and business connectivity.BlueCat DNS/DHCP Server also enhances network security by allowing customers to view and control the critical data relationships between IP addresses, physical location, devices, users and activity.Malicious attempts to steal intellectual property and data often leverage uncontrolled DNS as an entry point. With BlueCat, network access can be tied to device security and compliance, so that you can:
- Enforce a security policy for all devices (corporate-owned, BYOD, etc.)
- Prevent connections to the corporate network from unsecured devices
- Perform analysis and quarantine infected devices
QRadar SIEM allows single pane troubleshooting of issues to create a Security Operations Center (SOC). Its powerful rules engine correlates data, detects anomalies and generates a manageable list of the highest priority risks requiring forensic investigation and remediation. QRadar SIEM derives value by working with best of breed products.
IBM Security QRadar SIEMprovides
•Integrated log, threat, compliance management
•Asset profiling and flow analytics
•Offence management and workflow
The integration of BlueCat DNS/DHCP Server and IBM Security QRadar addresses critical customer security challenges. Below are details on four customer use-cases where the integration of the BlueCat Solution and IBM Security QRadar has enabled customers to accelerate security response and reduce the time and effort required to achieve their security and compliance goals.
- Enable threat detection of malware:
- Summary:Leverage BlueCat network intelligence to gain visibility into device activity, accelerate the detection of malware and quarantine infected devices.
- Description:A financial institution sees an increasing number of DNS lookups from a set of internal devices over time to an unusual zone or machine. The atypical traffic patterns results in an offence. This offence is correlated with QRadarflow data, whichindicates that the machine contacteda country of concern, raising the magnitude of the offence.Security analysts suspect malware may be present and attempting to contact the Command and Control server(s). Complete and early visibility of the threat allows the SOC to take action to prevent the malware from infecting additional users’ devices. The QRadar analysts can also use historical DNS events to perform a detailed forensic analysis, helping to identify advanced persistent threats.
- How It Works: BlueCat DNS/DHCP Server sends time-stamped DNS query information along with the origin of the request to QRadar. QRadar processes all request information by device and across devices to identify requests that do not match typical patterns. Variants are made visible to the SOC for further analysis.
- Enable blacklisting of bad domain names:
- Summary:Block unauthorized application access before any connection to the organization’s network is established. Prevent malicious agents from finding entry points to the network.
- Description:Blocking application access at the firewall typically does not prevent the initial connection from taking place, thus providing a “proof of existence” that the malicious agent can use as a target. Organizations that block application access at the DNS level automatically prevent any connection from occurring and prevent malicious agents from positively establishing target points for future attacks. Furthermore, users can be transparently redirected to a location that allows security analysts to study the attacker. To deliver these advanced security capabilities, QRadar SIEM leverages the network intelligence provided by the BlueCat DHS/DHCP Server combined with flow records.
A financial institution sees that a device on the internal network made multiple attempts to connect to a former Warsaw pact country within two minutes. Correlation with the network intelligencein BlueCat shows that the connection attempt came from a laptop belonging to a privileged user. Theflows and BlueCat DNS/DHCP Serverevents are correlated with XForce reputation data indicating that the destination is a bad domain. An offence is generated, which triggers SOC investigation. In addition, the offence adds the offending domainto a reference set of Blacklisted domains.This blacklist blocks any further connection attempts to the bad domain, and can be used by QRadar’s rules engine to identify future offences. - How It Works: DNS, DCHP and device information is exchanged between BlueCat DNS/DHCP Serverand QRadar. Information contains the device’s unique identifier (MAC Address) and its IP address. Device type and username of its operator are available in BlueCat With this information now available, all subsequent alerts can automatically be mapped to a specific device. Any query made to a “bad domain” is blocked directly by the DNS caching server and the user is redirected to a notification web page that indicates a bad site was requested.
- Identify a query that is not a threat:
- Summary:Business is global, but not everyone within an organization may be required to access remote resources or resources located in regions typically considered “high-risk.” This situation is prone to creating a large number of false positive or false negatives that are extremely time-consuming and costly for security teams to investigate. With BlueCat and QRadar, organizations are able to escalate or reduce threat assessments based on the group membership of a user.
- Description: A financial institution has a group of users who contact a site located in a region with which the company doesnot typically do business. A request for application accesslocated in a region considered “high risk” is detected. Using a process of matching DNSqueries and their point of originwith a “whitelist” of users whose business role requires they contact that region, QRadar is able to identify an offence but reduce its magnitude upon determining that the user belongs to the “whitelist”. No follow-up by SOC staff is required.
- How It Works:DNS, DCHP and device information is exchanged between BlueCat DNS/DHCP Serverand QRadar. Information contains the device’s unique identifier (MAC Address) and its IP address. Device type and username of its operator are available in BlueCat.With this information now available, any query can be mapped to user-group characteristics to automatically elevate or reduce the threat level of any attempt to access external applications.
- Accelerate forensics and identify “patient zero”:
- Summary: Forensics analysis of breaches and security vulnerabilities are extremely time-consuming. BlueCat and QRadar provide Security teams with the ability to constantly map any traffic and/or application access to a user/device combination, thus significantly accelerating forensics analysis.
- Description: The constant monitoring and storing of all application access requests cross-referenced with XForce reputation engine allows a health-care institution to automatically identify 200 corporate mobile devices that queried the same “bad” domain. A quick look through the historical report of queries allows the SOC to complete their forensic investigation and determine the first user/device combination that queried the bad zone, thus identifying “patient zero.” The isolation of the 200 devices combined with the blacklisting of the “bad zone” automatically contains the threat and prevents it from expanding further within the organization.
- Operations:DNS, DCHP and device information is exchanged between BlueCat DNS/DHCP Serverand QRadar. Information contains the device’s unique identifier (MAC Address) and its IP address. Device type and username of its operator are available in BlueCat. With this information retained for a corporate defined retention period, Security teams can rapidly perform a detailed analysis by simply running reports at regular intervals.
The integration of BlueCat DNS/DHCP Serverwith QRadar SIEM enables highly availableDNS and DHCP services, combined with a rich source of network intelligence that increases visibility and control over complex security threats. QRadar benefits from a wealth of network intelligence data to better highlight issues with offences, enabling customers to create rules that automatically identify threats and enable the creation of regular reports used for forensic analysis. The combined BlueCat and IBM solution enhances security while relieving the burden on security teams of having to investigate offences and reducing the costs of demonstrating security and compliance.