Townsend Security Data Privacy Blog

How System Logging and Snowstorms Can Provide Important Information

Posted by Alex Bryan on Feb 12, 2016 2:44:00 PM

When the weather outside is frightful, keep a watchful eye on those tracks in the snow!

I used to love looking out the sliding glass doors at my parents deck when it would snow. I would rush to the cold glass first thing in the morning to see just who had been out and about. It was always exciting to see what footprints the various critters had left behind from the night before. Strange topic for a tech blog to be sure, however this memory always pops to the front of my mind when discussing system logging, log collectors, and their ever-important counterpart, SIEM solutions. The one question I hear most in our support department is “I’ve got a log collector do I really need a SIEM?” Well let’s think about that and compare log collection and monitoring to a fresh snowfall. Request the white paper: Simplifying Security for IBM I and IBM QRadar

Envision the log collector as a blanket of snow over a deck. The deck in this example represents your database, the footprints are the events. Just one database server can generate millions of events in a day. With that kind of traffic your blanket of snow is going to become packed ice very quickly. You wouldn’t be able to pick out and clearly identify any one specific footprint from that mess. The shear amount of events generated by the average system makes detecting an anomalous event a logistical nightmare for a human observer. So simply having a good log collector is great, but it is only half of the equation. You have to be able to identify events and act on the information gathered, preferably in real-time.

One morning, after it had snowed I was up early peering out at the snow cover when I noticed boot prints near the garage. This was unusual as we lived in a relatively rural area. I told my parents what I’d seen, and tried to show them, but the snow was starting to melt. So the evidence that I had seen was rapidly being lost to time and inactivity. My parents brushed off my concern and went on with their day, opting to forego any further “analysis”. The following morning they awoke to an open garage door and a missing car.

This scenario is strikingly similar to how cyber criminals operate. Evidence of a breach is often left long before any data is actually stolen. It can take weeks and, in some cases, months for an intruder to find the data they want and take it. Early detection has spelled the end of many data theft attempts. Unusual events like someone accessing the system from an unfamiliar location, or an unexpected access of a sensitive file can be identified before data goes missing. All of those events show up in the system logs, but if you aren’t doing anything with the information, then you are making it easy for criminals to get what they came for. When properly deployed, and monitored in real-time, a SIEM can be your strongest weapon in actively preventing breaches.

Proper set-up can appear to be daunting because the system logging solution needs to be able to understand the events being received. The SIEM can’t correlate data to recognize patterns, and identify suspicious activity if the log collector is sending events in a language the SIEM doesn’t understand. In a perfect scenario SIEMs and log collectors would work together to create an “out of the box “ solution. Townsend Security has recently worked with IBM to enhance our system logging solution to include support for IBM Security QRadar.  Alliance LogAgent for IBM QRadar can now send events in IBMs “Log Event Extended Format” or LEEF to the QRadar SIEM. Because we worked directly with the IBM team for the QRadar Device Support Module (DSM) definitions, you just need to pull the latest DSM definitions from IBM to get started. Though it’s similar to other log formats like syslog, QRadar can sort and use the information received without any major set up.  This means that instead of logging tons of unreadable, unsorted events, you can query the SIEM to find something specific like a log on, or file change - which, going back to the original analogy, can help you find the boot prints in the snow!

Alliance LogAgent for IBM QRadar works seamlessly with IBM Security QRadar to give you the real-time, active monitoring tools you need to be proactive when dealing with a potential data breach. For more information, request this white paper on Making Security Better for the IBM i and IBM QRadar:


Request the white paper: Simplifying Security for IBM I and IBM QRadar



Topics: System Logging, White Paper, IBM QRadar, Alliance LogAgent for IBM QRadar

FAQ: IBM i System Logging for IBM Security QRadar

Posted by Patrick Townsend on Feb 1, 2016 10:08:00 AM

When our customers consider deploying Alliance LogAgent for IBM QRadar on their IBM i (AS/400, iSeries) servers, they often have a number of questions about how the application works. Here are a few of the common questions we encounter:

IBM i Security QRadar Log Collection Can I monitor security events collected in the IBM security audit journal QAUDJRN?
Yes, all of the events in the QAUDJRN security journal are processed by Alliance LogAgent and assigned a severity level that is recognized by QRadar. Be aware that the security event information collected in the QAUDJRN security audit journal depend on system values that you define. Minimally you should configure your IBM i server to collect all *SECURITY level events. See the Alliance LogAgent documentation for more information.

Can I monitor user messages in the security audit journal QAUDJRN?
Yes, Alliance LogAgent for IBM QRadar processes all user-defined events in the security audit journal. If you wish to write user-defined events to QAUDJRN you should be aware of the data format defined for QRadar called the Log Event Extended Format, or LEEF. The LEEF format documentation is available from IBM.

Why is Alliance LogAgent for IBM QRadar better than what I already have?
Alliance LogAgent for IBM QRadar has several security advantages over the native AS/400 DSM definition in QRadar. The most important is that Alliance LogAgent processes security events in real time. This means that QRadar can perform event correlation and alerting more effectively. There is less chance that a security breach will result in the loss of data. Additionally, Alliance LogAgent provides more information for security events. For example, when a user profile is changed all of the granted authorities are reported to QRadar, not just the summary information. Lastly, Alliance LogAgent collects information from a variety of sources including IBM i Exit Points, the system message file QHST, the system operator’s message queue, and user defined messages via a data queue. For all of these reasons Alliance LogAgent for IBM QRadar will improve your IBM i security.

Do I have to make any changes to QRadar?
No, you just need to pull the latest QRadar Device Support Module (DSM) definitions from IBM and you are ready to use Alliance LogAgent for IBM QRadar. If you are automatically updating your DSM definitions you probably already have the DSM support you need. Townsend Security worked with the IBM QRadar team for the DSM definitions. You do not need to do any manual work for IBM QRadar to recognize and process IBM i security events transmitted by Alliance LogAgent for IBM QRadar.

Is Alliance LogAgent for IBM QRadar certified by IBM?
Yes, Townsend Security worked directly with the IBM Security QRadar technical team to certify the security events transmitted by Alliance LogAgent. Out of the box the QRadar SIEM will recognize and process events sent by Alliance LogAgent for IBM QRadar. Townsend Security is validated to the Ready For IBM Security Information program.

What is the performance impact?
Alliance LogAgent for IBM QRadar runs as a low priority batch job on the IBM i platform and will have minimal impact on CPU and other resources. The application uses normal IBM APIs for security event information and does not bypass normal application performance controls. You should not notice any significant impact on interactive user jobs or system resources.

Can I filter messages that are sent to QRadar?
Yes, Alliance LogAgent for IBM QRadar provides several ways to filter messages sent to IBM QRadar including:

  • Which QAUDJRN events are reported
  • Which QAUDJRN user events are reported
  • Which System Values are reported
  • Which libraries and objects are included or excluded
  • Which IFS directories and files are included or excluded
  • Which user profiles are excluded.
  • Which IBM i Exit Points are monitored
  • Which files and tables are monitored at the field level

As you can see you have many options for filtering which events are transmitted to IBM QRadar.

How much storage does Alliance LogAgent use, and will I need to add storage?
Alliance LogAgent does not make any temporary or permanent copies of security information and will not impact your storage utilization. The only storage you need is for the Alliance LogAgent program objects (about 100 Megabytes) and you will not need to add additional storage.

How are security events transmitted to QRadar, and will I need third party software for this?
Alliance LogAgent provides the communications applications as a part of the base product and you will not need any third party software.

Can I monitor exit points like FTP?
Yes, Alliance LogAgent monitors the FTP exit point and several other critical exit points provided by IBM. These include the exit points for remote data queues, SQL (including ODBC), DB2, FTP and many others. Please contact Townsend Security if you have questions about a specific exit point. New Exit Point monitors are added on a periodic basis.

Can I monitor messages in the system history file (QHST)?
Yes, Alliance LogAgent for IBM QRadar can monitor messages in the QHST system history files. It automatically detects new QHST files created by the operating system and processes messages in near real time.

Can I monitor changes to database files at the field level?
Yes, Alliance LogAgent for IBM QRadar includes a license for the File Integrity Monitoring module. This gives you the ability to monitor access to one or more fields in any database file. There is no limit to the number of fields or files that you can monitor. Monitoring also includes processing file open and close requests so that you have a full picture of user access to a file.

Can I my RPG and CL applications write messages to QRadar?
Yes, Alliance LogAgent can monitor one or more user data queues and transmit messages to QRadar. Your application can write the important security information to the data queue and Alliance LogAgent will add the QRadar headers, convert to the ASCII character set, and transmit the event to QRadar in the appropriate format. There is no limit to the number of data queues you can define or the number of messages.

We use Splunk for log collection, can we use IBM QRadar at the same time?
Yes, many customers use both Splunk and QRadar at the same time. You will find information in the IBM and Splunk documentation on how to implement these solutions together. It is recommended that you send information to QRadar in the native Log Event Extended Format (LEEF) first, and then forward the information to Splunk. This will give you the best security implementation.

How is Alliance LogAgent for IBM QRadar licensed?
Alliance LogAgent for IBM QRadar is licensed on a Logical Partition (LPAR) basis at a flat fee per LPAR. Multiple license discounts are available. Please contact Townsend Security for pricing and support options.

I am using a different SIEM solution, can I use Alliance LogAgent?
Yes, Alliance LogAgent works with all major SIEM solutions including, but not limited to, LogRhythm, Alert Logic, AlienVault, Splunk, McAfee and managed service providers like Dell SecureWorks, NTT/Solutionary and others. If you decide to upgrade to IBM Security QRadar you can easily upgrade to Alliance LogAgent for IBM QRadar.

I need help installing IBM Security QRadar, can you help us?
Townsend Security provides no-charge support for installation and configuration of Alliance LogAgent for IBM QRadar on your IBM i server. If you need assistance with installing, evaluating and using IBM Security QRadar we will provide you with an introduction to a certified IBM QRadar partner company.

Can I try Alliance LogAgent for IBM QRadar on my IBM i server?
Yes. Alliance LogAgent for IBM QRadar can be downloaded and installed on your IBM i server at no charge. During the evaluation period the solution is fully functional and you can integrate it with IBM Security QRadar at no charge for the Townsend Security software (IBM QRadar EPS charges may apply).

How do I get started with Alliance LogAgent for IBM QRadar?
Once you request an evaluation of Alliance LogAgent for IBM QRadar you will receive information on how to download the software and install it on your IBM i server. The Townsend Security customer support team will provide you with training and support at no charge.

If you have any other questions about Alliance LogAgent for IBM QRadar, or other Townsend Security solutions, please contact us.

IBM i Security QRadar Log Collection

Topics: System Logging, IBM QRadar, Alliance LogAgent for IBM QRadar

The Boyd Gaming Case Study of LogAgent for IBM QRadar

Posted by Michelle Larson on Jan 22, 2016 3:00:00 PM

Collecting and Monitoring Real-time IBM i Security Events with Alliance LogAgent for IBM QRadar

Collecting and Actively Monitoring System Logs is Important Across ALL Operating Systems!

Because the IBM i (AS/400, iSeries) can handle multiple applications, it doesn’t log information like other systems do. The IBM i collects logs simultaneously from multiple sources and deals with large volumes: Up to 3,500 events per second…250 Million events per day!  The essence of good log security is externalizing the systems logs and collecting them in a central repository, which helps remove the risk of tampering. Close monitoring of system logs can help you detect a breach before it happens, it can be a requirement for compliance with security regulations, and it can be a very difficult, inefficient, and cumbersome process.

PDF of Boyd Gaming Case Study of LogAgent for QRadar

For years, our Alliance LogAgent solution has been helping businesses using the IBM i to collect logs from the QAUDJRN security journal, convert them to common syslog formats and then transmit to a central log server or SIEM product for collection, analysis, and alert management. Now, with Alliance LogAgent for IBM QRadar, deeper threat intelligence and security insights can be gained in real-time.

For example, having chosen IBM Security’s QRadar SIEM, the security team at Boyd Gaming needed a solution to collect IBM i security and application logs into a coherent strategy for log collection, analysis and alert management. Before they started using Alliance LogAgent for IBM QRadar, Boyd Gaming used a Device Support Module (DSM) that made copies of their security journal and sent them out over FTP to a server, where QRadar would go grab them – a very cumbersome and inefficient process. By implementing Alliance LogAgent for IBM QRadar, they brought their IBM i platform into a common strategy for log consolidation and analysis with the security events from other servers.

Alliance LogAgent for IBM QRadar does exactly what it needs to do. It was built for the IBM i and gives you the data you need,said Anthony Johnson, IT Security Engineer, Boyd Gaming.Knowing that Townsend Security worked with IBM made Alliance LogAgent for IBM QRadar an easy choice. By being able collect all security events and convert them to the IBM Log Event Extended Format (LEEF) made a seamless deployment.

For Boyd Gaming, getting started was very simple. With 15 installations of Alliance LogAgent for IBM QRadar, it only took one hour for them to get them to set up, configured, and begin collecting logs from their IBM i platform.

Alliance LogAgent for IBM QRadar fits the bill for everything. It is very simple to set up, minimal maintenance, and once you set it, you never have to make any adjustments – set it and forget it,finished Johnson.

Not only does IBM Security QRadar perform real-time monitoring of events across the Enterprise, it learns from the events over time in order to recognize normal patterns, detect anomalies, and better identify attacks and breaches. Combined with this intelligent platform IBM Security QRadar provides a broad set of compliance reports that are ready to use. Townsend Security’s Alliance LogAgent for IBM QRadar helps IBM i customers realize the full benefits of the IBM QRadar Security Intelligence solution.

For more detail, please read the whole case study on Boyd Gaming:

IBM i QRadar SIEM Case Study

Topics: IBM QRadar, IBM Security Solutions, Alliance LogAgent for IBM QRadar

Congratulations on taking the first step with IBM QRadar!

Posted by Patrick Townsend on Jan 20, 2016 2:55:00 PM

Now it’s time to take the next step and improve your IBM i security.

Take a victory lap, you deserve it!

IBM i Security QRadar Log Collection You deployed one of the best security applications to help protect your IBM i data - IBM Security QRadar. As a Gartner Magic Quadrant leader in SIEM the QRadar solution is proving a valuable part of your company's’ security strategy. IBM QRadar is easy to deploy, easy to use, easy to manage, and automatically learns about your environment to get better over time. Actively monitoring your network, applications and systems is one of the Top 10 security controls, and QRadar is one of the leading SIEM solutions. You deserve that victory lap!

After you take that victory lap and catch your breath, it is time to take the next step.

The NEXT STEP ???   I thought I was DONE !!!

Not quite. Like all SIEM solutions IBM QRadar works best when it gets information in real-time. When QRadar can see an authority failure, a rogue SQL statement, a change to a system value, or any other critical security event in real time it can correlate that event with all of the others from across your Enterprise. It can evaluate its likely impact and compare it with other events to understand the severity of the event. Real-time monitoring is crucial for good security.

The default Device Support Module (DSM) provided by IBM QRadar provides for a periodic, batch view of basic IBM i security events. Because it is a batch process most IBM i users only collect security events once or twice a day. There is no real-time collection available and your QRadar implementation is not functioning as well as you might like.

Fortunately, it is really easy to fix this. Alliance LogAgent for IBM QRadar from Townsend Security helps you take the next step by providing that real-time monitoring for your IBM i server. Running in the background, Alliance LogAgent collects security events, converts them to IBM QRadar format, and transmits them to QRadar as they happen. Attempted hacks to your IBM i server are captured when they happen, not hours later. And QRadar sees them immediately. You get better security within a few minutes of installing Alliance LogAgent for IBM QRadar.

In addition to real-time monitoring, you also get these critical security functions that are not included in the default QRadar DSM for the IBM i:

  • File Integrity Monitoring (FIM) for any DB2 database file on your system. You can monitor access to sensitive data on a field level.
  • System history file (QHST) monitoring for critical messages and interactive logon and logoff activity.
  • User data queue monitoring so that you can write your own security events from your RPG and CL applications.
  • Exit Point monitoring so that you can monitor and record the host server activity and send the information to QRadar.
IBM Business Partner: Certified Ready for Security Intelligence

Active monitoring with IBM Security QRadar is one of the most important things you can do. Deploying Townsend Security’s Alliance LogAgent for IBM QRadar will make you more secure by making QRadar better. It’s affordable and easy to deploy. You can download a fully functional evaluation and see for yourself. Alliance LogAgent for IBM QRadar is certified by IBM and supported by the QRadar DSM.

That next step is not a big one, but it has big benefits.

Patrick

IBM i Security QRadar Log Collection

Topics: System Logging, IBM QRadar, IBM Security Solutions, Alliance LogAgent for IBM QRadar