From this chapter onward, we will look in detail at the practical application of what we learned in the last seven chapters. QRadar provides a provision wherein Docker-like applications can be installed, called QRadar apps. These apps vary in nature depending on what type of data they consume and how they use this data to provide value to customers. One such app that we will discuss in detail is User Behavior Analytics, also known as UBA.

When thinking about securing an organization, we usually think of the threat actors that come into play. Mostly, we think of securing our organization from outside threats by using firewalls, intrusion prevention systems, honeypots, and so on. If we look at the current trends in security breaches, we find that some threat actors are part of the same organization where the breach has happened. These actors are called insider threats.

The UBA app helps us monitor user behavior. If there is any...

Detecting an insider threat is like finding a needle in a haystack. The data generated about all the employees working for an organization is enormous. This data could be about the activities they perform and activities that are permitted or not permitted. Also, there could be situations where an activity is suspicious for one employee but legitimate for another. Scanning through all this data to find insider threats is no easy task. But the UBA app helps you meet this challenge. The other two significant challenges that crop up while working on insider threats are as follows:

• Consolidating multiple identities of the same employee

We know that in an organization, we have hundreds of assets that may require a user to create multiple identities. For example, a user, Bob, may have an intranet ID, an ID for accessing Linux servers in a lab, a cloud account for accessing AWS, another cloud account for accessing...

Many security vendors provide similar security solutions, called User and Entity Behavior Analytics (UEBA). Other vendors, apart from IBM, have the solution as a separate product. But IBM has designed UBA to provide seamless integration with the information already available in terms of event data that we have in QRadar. The integration is tighter than the standalone UEBA solution, providing better results in a shorter period. As QRadar has also introduced App Host as a separate managed host where apps can be installed, the number of computational resources provided to UBA can be drastically increased.

UBA and ML form the backbone of QRadar when it comes to insider threats. These are security products in themselves that are seamlessly integrated into QRadar. There are other vendors that provide UBA as separate products. But adding UBA as an app in QRadar has multiple advantages, including ease of use.

The ML models used in QRadar for UBA help to drastically reduce...

As we know why we need UBA in our environment, let us look at the steps that need to be taken to set up UBA. The first step would be to install UBA. It is important to know the computational resource requirements of UBA. UBA, when installed with ML, needs a lot more resources than when deployed without ML model, and hence you should always use QRadar App Host.

In the official docs, there's more information on how to install the Machine Learning Analytics app: https://www.ibm.com/docs/en/qradar-common?topic=app-machine-learning-analytics

Once installed, we will need to import user information into UBA. Both topics, installing UBA and importing user information, are discussed in detail next.

Installing QRadar UBA

QRadar UBA, as mentioned earlier, is a QRadar app. The app is available from the QRadar App Exchange portal, which is publicly available at https://exchange.xforce.ibmcloud.com/hub. The UBA app is available as a ZIP file that can be downloaded...

As mentioned earlier, before installing the UBA app, there is the prerequisite that a DSM named IBM Sense is installed on QRadar. We learned what DSMs are in Chapters 4 and 5. To reiterate, DSMs are device support modules installed on QRadar, so that QRadar parses incoming data in a consumable format.

When the UBA app is installed, UBA rules are also added. These UBA rules look for certain event data, and if it is found, a sense event is triggered. This sense event is then consumed by the UBA app. The sense event will have a certain risk value as well as a username associated with it. When UBA consumes this sense event, it in turn increases the risk value of the user. Risk scores are stored in the QRadar PostgreSQL database.

The IBM Sense DSM is used to parse the sense event in this case. Once the Sense DSM parses the event, the event is evaluated against all the rules in QRadar, including the just-added UBA rules too. If the event matches the rule conditions...

The UBA app displays users and their corresponding risk scores. You can configure the type of users that you would like to monitor. It could be a group of users based on factors such as department, employees on notice period, and employees working for a specific customer across departments. The classification of users is possible when we have enough data on users. This data is usually imported when we integrate with the directory server of the organization.

Figure 8.2 – UBA dashboard

In the preceding figure, we see that there are 68 monitored users, out of which 50 users were imported from the directory server. UBA is capable of discovering new users based on the events that it consumes. We previously discussed that the other way to add users is by importing from reference data. In Figure 8.2, however, we have not imported any users from reference data.

Along with the users, there are corresponding risk scores...

The ML app brings with it capabilities of predictive modeling. This application requires intensive computation and works best when you use a separate App Host to host the applications. The ML app is installed after the UBA app is installed.

Important note

It is recommended that after you install UBA and configure it to import users, you install the ML app after at least 24 hours. This gives UBA enough time to create user profiles and assign risk scores.

The ML app has different models that it uses:

• Individual (Numeric) user model: This model calculates a value for a user.
• Individual (Observable) user model: This model calculates a set of attributes and their event counts.
• Peer Group model: This model is used to build a set of attributes and event counts and alert if the deviation of the user is more for the defined peer group.What we mean by deviation is the deviation in the risk score of the user. This peer group could be all the...

The UBA app, along with the ML app,needs a lot of tuning as per your environment. We have seen that the UBA application has so many configuration parameters. We have already mentioned that if you plan to use UBA, you should install App Host as UBA is a computationally heavy app. The number of resources made available to the UBA and ML apps may limit the number of users that can be monitored. If the number of users becomes high, UBA will require more computational resources, which will in turn hamper performance as the UBA app’s graphical interface can become slow or unresponsive.

Some basic tuning tips for the UBA and ML apps are as follows:

• Import users using a directory server/LDAP/CSV file

We have seen that there are many ways in which users are added. In Figure 8.2, we saw a few users were discovered using event data such as events and flows. For most of these users, the event data has users such as admin and root that cannot be correlated...

We have discussed UBA and understand that it works on different kinds of events that are received in QRadar. But what about flows? Does QRadar use flows to detect anomalies in behavior? Yes, it does. And for that, we have a QRadar app called QRadar NTA. You may install this app from the IBM X-Force App Exchange portal, and it is free of charge.

After installing QRadar NTA, the app trains itself by analyzing the flows already available and creates a baseline of what kind of traffic is received. NTA uses ML algorithms to understand and generate a baseline. The following screenshot shows the configuration settings required for NTA:

Figure 8.4 – Configuration parameters for the NTA app

In the preceding screenshot, we can see the authorized token that will be generated on QRadar, and then you may copy and paste it into the app.

Default timeframe is the amount of time for which the NTA app analyzes the flow data...

In this chapter, we have discussed how the UBA app can be installed and configured correctly. Always remember that UBA is a heavy application in terms of computational resources and so we should install App Host first. Additionally, the UBA app is updated regularly with new features, new rules are added, and new searches are introduced. To aid with this, always keep your UBA app up to date.

Also, you should use QRadar NTA along with UBA as it helps get granular information if there is anomalous behavior identified. The risk scores provide guidance on what behavior to look at first. The dashboards for both applications will help you detect as well as mitigate insider threats.

In the next chapter, we will dig deep into how QRadar leverages Watson, IBM’s cognitive engine, to integrate its AI capabilities with the sea of data that QRadar possesses.