Soc Manager plugin Qradar SIEM Stas Radchenko Omri

Soc Manager plugin- Qradar SIEM בנגב גוריון - בן אוניברסיטת , המחשב למדעי המחלקה Stas Radchenko & Omri Ben Matitiau Advisors: Dr. Itai Dinur & Mr. Dennis Potashnik Juni 2018

WHAT IS SIEM? • SIEM: short for Security Event and Information Management, is a term for software products and services that provide real-time analysis of security alerts generated by network hardware and applications and is also used to log security data and generate reports for compliance purposes. • Gathers security data from many, many sources • Correlates all of this data in real time; • Generates alerts if suspicious activity is detected • Stores the data for a long time, providing rapid access when needed and supporting forensic investigations 2 IBM Security

WHAT IS SOC? A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. Usually each SOC uses a SIEM technology for monitoring and investigating security events in his organization. 3 IBM Security

Project: Main goal • To give the soc manager an overview on the current state of the soc performance and asses the analysts capability. How we did it? We developed a web application that uses Qradar resources to build features that provides a visual insight on the SOC performance, state and analysts status. 4 IBM Security

How an application runs and interacts with Qradar? QRadar applications run inside an isolated Python Flask environment that is independent of the QRadar user interface. The application can also use static images, scripts, and HTML pages. All interaction with the application is proxied through the QRadar user interface. No direct access to network ports or web services is usually permitted. 5 IBM Security

Plugin features Offences by category feature • Gives the distribution of the open offences by their category on specific interval. The ability to analyze which kind of offences categories is mostly common in the SOC. An insight on unusual and suspicious events that occur in specific time. • • Opened/Closed offences feature • Gives an overview on the amount of offences opened in the specific interval. Gives an overview on the amount of offences that was handled by an analyst in a specific interval. The ability to see the correlation between open offences and handled offences and to asses the analyst performance. • • 6 IBM Security

Plugin features Online/Offline analyst feature • The ability to see which analysts currently connected to the Qradar and on duty. • The ability to see which service is currently accessing the Qradar resources. • An insight on which analyst/service was lately active. Assigned offences feature • The ability to see amount of unattended offences. • The ability to see the distribution of the currently handled offences among the analysts. • The ability to notice any offline analysts that currently seems to be in charge on any offences. 7 IBM Security