Unit 7: Assets and Vulnerability

Assessment

© 2013 IBM Corp.

Objectives
When you complete this unit, you can perform the following tasks:
 Navigate the Assets tab
 Search assets
 Understand asset profile data
 Discover servers
 Understand vulnerability profiles

IBM Software Group | Security Systems

7-2 © 2013 IBM Corp.
Asset Profile
 An asset can be any kind of host in the network.
 Asset profiles store host identity information like name, IP address and
much more.
 Asset profiles list services running on a host.
 Asset profiles incorporate vulnerability data and user identity data from all
logs and IAM data containing identity information.
 Asset profiles show asset activity and correlated events. Based on this
information, you can remove false positives or increase the severity of an
offense for business-critical assets.

IBM Software Group | Security Systems

7-3 © 2013 IBM Corp.
Instructor demonstration

IBM Software Group | Security Systems

7-4 © 2013 IBM Corp.
Assets tab
The Assets tab provides three menu items:
Asset Profiles: Searching, adding, editing, deleting stored asset profile data.
Server Discovery: Passive discovery of hosts by analyzing flow data.
VA Scan: Identifying hosts by a Vulnerability Assessment (active scan).

IBM Software Group | Security Systems

7-5 © 2013 IBM Corp.
Assets tab toolbar

The toolbar provides:

Modify Search: Find assets that meet certain criteria.
Add Asset: Add an asset record manually.
Edit Asset: Edit an existing record. You can also access a record
by double-clicking the asset summary record.
Actions: Delete, Import, Export
Print: Print the search results.
IBM Software Group | Security Systems
7-6 © 2013 IBM Corp.
Actions on assets
• Delete Asset: Deletes the selected asset.
• Delete Listed: Deletes all assets meeting the current search criteria.
• Import assets: Import a list of assets from a formatted CVS file:
• IP, Name, Weight (1-10), Description
• Export as XML: XML export of all results.
• Export as CSV: Comma-separated value export of all results.

IBM Software Group | Security Systems

7-7 © 2013 IBM Corp.
Asset Profile search (1/2)
Offers three kinds of
searches:
• Asset Properties
• Extended Asset Properties
• Vulnerability Attributes

Vulnerability Attribute
Search
Third-party scanners report
vulnerabilities using external
references from the Open
Source Vulnerability
Database (OSVDB) and
National Vulnerability
Database (NVDB).

IBM Software Group | Security Systems

7-8 © 2013 IBM Corp.
Asset Profile search (2/2)
To modify an asset search:
• Select Asset Profiles to
display the Asset Profile
Search form.
• Select and enter values for
search categories and
parameters.
• Asset Properties
• Extended Asset Properties
• Vulnerability Attributes
• Click Search to execute an
individual category search.
Click Show All to display all
assets.

IBM Software Group | Security Systems

7-9 © 2013 IBM Corp.
View Asset Profile
The Override parameter specifies
how operating system information
(Operating System, Vendor, and
Version parameters) is derived.
• Detected by a Scanner:
Scanner provides operating
system information.
• Override until the next
scan:
Scanner provides operating
system information. If a user
edits operating system
parameters, the scanner
restores the information at its
next scan. This is the default.
• Override Forever:
Manually enter operating
system information and
disable scanner from
updating it.
IBM Software Group | Security Systems
7-10 © 2013 IBM Corp.
Asset profile data
The following information is stored for each asset:
• Name • Machine Name
• Description • User Name
• IP Address • Extra Data
• Network • Network
• Host Name (DNS) • Host Name
• Risk Level • User Group
• Operating System • Business Owner
• Vendor • Business Owner Contact Info
• Version • Technical Owner
• Override • Technical Owner Contact Info
• Weight • Location
• MAC

IBM Software Group | Security Systems

7-11 © 2013 IBM Corp.
Port-specific profile information
• Port: Port numbers for services discovered running on the asset.
• Service: Services offered by the asset.
• OSVDB ID: The vulnerability identifier for the asset.
• Name: The name of the detected vulnerability.
• Description: A description of the detected vulnerability.
• Risk/Severity: Specifies the risk level (0 to 10) for the vulnerability.
• Last Seen: Most recently detected either passively or actively.
• First Seen: First detected either passively or actively.

IBM Software Group | Security Systems

7-12 © 2013 IBM Corp.
Asset importing and exporting
You can import asset profile information into QRadar SIEM. The imported file
must be a CSV file in the following format: ip, name, weight, description

IBM Software Group | Security Systems

7-13 © 2013 IBM Corp.
The Asset Profile toolbar (1/5)

1. View By Network provides the list of networks associated with this

asset if this asset is associated with an offense.

IBM Software Group | Security Systems

7-14 © 2013 IBM Corp.
The Asset Profile toolbar (2/5)

2. View Source Summary provides source summary information if this

asset is the source of an offense.

IBM Software Group | Security Systems

7-15 © 2013 IBM Corp.
The Asset Profile toolbar (3/5)

3. View Destination Summary provides destination summary information

if this asset is the destination of an offense.

IBM Software Group | Security Systems

7-16 © 2013 IBM Corp.
The Asset Profile toolbar (4/5)

4. History opens an event search criteria window:

• Time Range: Recent (Last 24 Hours)
• Search Parameters: Specifies the following filters to be applied:
• Identity is true
• Identity IP is the IP address of the asset
• Column Definition: Specifies the columns to be displayed in the search
results:
• Event name Identity MAC
• Log Source Identity Hostname
• Start Time Identity NetBIOS Name
• Identity Username Identity Group Name

IBM Software Group | Security Systems

7-17 © 2013 IBM Corp.
The Asset Profile toolbar (5/5)

5. Applications opens a flow search criteria window:

• Time Range: Recent (Last 24 Hours)
• Search Parameters: Filter to be applied to the search results
• Column Definition: Specifies the Application Group column to be displayed
in the search results. The search parameters can be customized.

IBM Software Group | Security Systems

7-18 © 2013 IBM Corp.
Server discovery (1/4)
 QRadar SIEM provides automated classification of assets, called Server
Discovery, which improves the rule tuning and deployment process.
 The Server Discovery can automatically categorize assets based on
specific attributes learned from collected data, such as events, flows, and
vulnerability data.

IBM Software Group | Security Systems

7-19 © 2013 IBM Corp.
Server discovery (2/4)
Server discovery searches the Asset Profile database for assets with ports open.
• Vulnerability scans update operating system, open ports, and vulnerabilities in the
asset profiles.
• Passive flow data discovers open ports if it sees a stateful connection to a port.
• This port data is filtered by the server discovery, which searches for ports
associated with known server types.
• Users can redefine the ports for each server type.
• Three user defined server types are available for custom services.

IBM Software Group | Security Systems

7-20 © 2013 IBM Corp.
Server discovery (3/4)
To discover servers, set the Server Discovery parameters.

IBM Software Group | Security Systems

7-21 © 2013 IBM Corp.
Server discovery (4/4)
The server profiles are entered into Host Definition Building Blocks:
• The Building Blocks are updated with the IP addresses of the discovered servers.
• Building Blocks are then used to tune out false alarms or detect policy and
security issues for that server type.

IBM Software Group | Security Systems

7-22 © 2013 IBM Corp.
About Vulnerability assessment
 QRadar SIEM can use the vulnerability detection abilities of third-party
active scanners, as well as evaluate possible vulnerabilities on its own.
 Vulnerability assessment (VA) functionality uses the vulnerability scan
data to build and populated asset profiles.
 In addition to detailing the known characteristics of detected hosts, the
vulnerability assessment process uses the Open Source Vulnerability
Database (OSVDB) to associate observed details with known
vulnerabilities.
 VA scanning can be configured from both the Assets tab and the
Administration Console.
 Active scans by third-party scanners are configured and operated by
administrators.

IBM Software Group | Security Systems

7-23 © 2013 IBM Corp.
Questions

IBM Software Group | Security Systems

7-24 © 2013 IBM Corp.
Student exercise

IBM Software Group | Security Systems

7-25 © 2013 IBM Corp.
Summary
Now that you have completed this unit, you can perform the following tasks:
 Navigate the Assets tab
 Search assets
 Understand asset profile data
 Discover servers
 Understand vulnerability profiles

IBM Software Group | Security Systems

7-26 © 2013 IBM Corp.