Enhanced Cyber Resilience Threat Detection with IBM FlashSystem Safeguarded Copy and IBM QRadar


Book Description

The focus of this document is to demonstrate an early threat detection by using IBM® QRadar® and the Safeguarded Copy feature that is available as part of IBM FlashSystem® and IBM SAN Volume Controller. Such early detection protects and quickly recovers the data if a cyberattack occurs. This document describes integrating IBM FlashSystem audit logs with IBM QRadar, and the configuration steps for IBM FlashSystem and IBM QRadar. It also explains how to use the IBM QRadar's device support module (DSM) editor to normalize events and assign IBM QRadar identifier (QID) map to the events. Post IBM QRadar configuration, we review configuring Safeguarded Copy on the application volumes by using volume groups and applying Safeguarded backup polices on the volume group. Finally, we demonstrate the use of orchestration software IBM Copy Services Manager to start a recovery, restore operations for data restoration on online volumes, and start a backup of data volumes.




Securing IBM Spectrum Scale with QRadar and IBM Cloud Pak for Security


Book Description

Cyberattacks are likely to remain a significant risk for the foreseeable future. Attacks on organizations can be external and internal. Investing in technology and processes to prevent these cyberattacks is the highest priority for these organizations. Organizations need well-designed procedures and processes to recover from attacks. The focus of this document is to demonstrate how the IBM® Unified Data Foundation (UDF) infrastructure plays an important role in delivering the persistence storage (PV) to containerized applications, such as IBM Cloud® Pak for Security (CP4S), with IBM Spectrum® Scale Container Native Storage Access (CNSA) that is deployed with IBM Spectrum scale CSI driver and IBM FlashSystem® storage with IBM Block storage driver with CSI driver. Also demonstrated is how this UDF infrastructure can be used as a preferred storage class to create back-end persistent storage for CP4S deployments. We also highlight how the file I/O events are captured in IBM QRadar® and offenses are generated based on predefined rules. After the offenses are generated, we show how the cases are automatically generated in IBM Cloud Pak® for Security by using the IBM QRadar SOAR Plugin, with a manually automated method to log a case in IBM Cloud Pak for Security. This document also describes the processes that are required for the configuration and integration of the components in this solution, such as: Integration of IBM Spectrum Scale with QRadar QRadar integration with IBM Cloud Pak for Security Integration of the IBM QRadar SOAR Plugin to generate automated cases in CP4S. Finally, this document shows the use of IBM Spectrum Scale CNSA and IBM FlashSystem storage that uses IBM block CSI driver to provision persistent volumes for CP4S deployment. All models of IBM FlashSystem family are supported by this document, including: FlashSystem 9100 and 9200 FlashSystem 7200 and FlashSystem 5000 models FlashSystem 5200 IBM SAN Volume Controller All storage that is running IBM Spectrum Virtualize software




Cyber Resiliency with Splunk Enterprise and IBM FlashSystem Storage Safeguarded Copy with IBM Copy Services Manager


Book Description

The focus of this document is to highlight early threat detection by using Splunk Enterprise and proactively start a cyber resilience workflow in response to a cyberattack or malicious user action. The workflow uses IBM® Copy Services Manager (CSM) as orchestration software to invoke the IBM FlashSystem® storage Safeguarded Copy function, which creates an immutable copy of the data in an air-gapped form on the same IBM FlashSystem Storage for isolation and eventual quick recovery. This document explains the steps that are required to enable and forward IBM FlashSystem audit logs and set a Splunk forwarder configuration to forward local event logs to Splunk Enterprise. This document also describes how to create various alerts in Splunk Enterprise to determine a threat, and configure and invoke an appropriate response to the detected threat in Splunk Enterprise. This document explains the lab setup configuration steps that are involved in configuring various components like Splunk Enterprise, Splunk Enterprise config files for custom apps, IBM CSM, and IBM FlashSystem Storage. The last steps in the lab setup section demonstrate the automated Safeguarded Copy creation and validation steps. This document also describes brief steps for configuring various components and integrating them. This document demonstrates a use case for protecting a Microsoft SQL database (DB) volume that is created on IBM FlashSystem Storage. When a threat is detected on the Microsoft SQL DB volume, Safeguarded Copy starts on an IBM FlashSystem Storage volume. The Safeguarded Copy creates an immutable copy of the data, and the same data volume can be recovered or restored by using IBM CSM. This publication does not describe the installation procedures for Splunk Enterprise, Splunk Forwarder for IBM CSM, th Microsoft SQL server, or the IBM FlashSystem Storage setup. It is assumed that the reader of the book has a basic understanding of system, Windows, and DB administration; storage administration; and has access to the required software and documentation that is used in this document.




Proactive Early Threat Detection and Securing Oracle Database with IBM QRadar, IBM Security Guardium Database Protection, and IBM Copy Services Manager by using IBM FlashSystem Safeguarded Copy


Book Description

This IBM® blueprint publication focuses on early threat detection within a database environment by using IBM Security® Guardium® Data Protection and IBM QRadar® . It also highlights how to proactively start a cyber resilience workflow in response to a cyberattack or potential malicious user actions. The workflow that is presented here uses IBM Copy Services Manager as orchestration software to start IBM FlashSystem® Safeguarded Copy functions. The Safeguarded Copy creates an immutable copy of the data in an air-gapped form on the same IBM FlashSystem for isolation and eventual quick recovery. This document describes how to enable and forward Oracle database user activities (by using IBM Security Guardium Data Protection) and IBM FlashSystem audit logs by using IBM FlashSystem to IBM QRadar. This document also describes how to create various rules to determine a threat, and configure and launch a suitable response to the detected threat in IBM QRadar. The document also outlines the steps that are involved to create a Scheduled Task by using IBM Copy Services Manager with various actions.




Cyber Resiliency with IBM QRadar and IBM Spectrum Virtualize for Public Cloud on Azure with IBM Copy Services Manager for Safeguarded Copy


Book Description

The focus of this Blueprint publication is to highlight the early threat detection capabilities of IBM® QRadar® and to show how to proactively start a cyber-resilience workflow in response to a cyberattack or malicious user actions. The workflow uses IBM's Copy Services Manager as orchestration software to start IBM Spectrum Virtualize for Public Cloud (SV4PC) Safeguarded Copy functions. The IBM SV4PC Safeguarded Copy function creates an immutable copy of the data in an air-gapped form on the same IBM SV4PC on Azure for isolation and eventual quick recovery. This document describes the steps that are involved to enable and forward IBM SV4PC audit logs to IBM QRadar. It also describes how to create various rules to determine a threat, and configure and start a suitable response to the detected threat in IBM QRadar. This document also explains how to register a storage system and create a scheduled task by using IBM Copy Services Manager. Finally, this document also describes deploying IBM QRadar and SV4PC on Azure. A use case for protecting the MS SQL database (DB) volume that was created on IBM SV4PC is included. Upon threat detection on a database volume, Safeguarded Copy is started for IBM SV4PC volume. The Safeguarded Copy creates an immutable copy of the data. The same data volume can be recovered or restored by using IBM's Copy Services Manager.




Proactive Early Threat Detection and Securing SQL Database With IBM QRadar and IBM Spectrum Copy Data Management Using IBM FlashSystem Safeguarded Copy


Book Description

This IBM® blueprint publication focuses on early threat detection within a database environment by using IBM QRadar®. It also highlights how to proactively start a cyber resilience workflow in response to a cyberattack or potential malicious user actions. The workflow that is presented here uses IBM Spectrum® Copy Data Management as orchestration software to start IBM FlashSystem® Safeguarded Copy functions. The Safeguarded Copy creates an immutable copy of the data in an air-gapped form on the same IBM FlashSystem for isolation and eventual quick recovery. This document describes how to enable and forward SQL database user activities to IBM QRadar. This document also describes how to create various rules to determine a threat, and configure and start a suitable response to the detected threat in IBM QRadar. Finally, this document outlines the steps that are involved to create a Scheduled Job by using IBM Spectrum® Copy Data Management with various actions.




Early Threat Detection and Safeguarding Data with IBM QRadar and IBM Copy Services Manager on IBM DS8000


Book Description

The focus of this blueprint is to highlight early threat detection by IBM® QRadar® and to proactively start a cyber resilience workflow in response to a cyberattack or malicious user actions. The workflow uses IBM Copy Services Manager (CSM) as orchestration software to start IBM DS8000® Safeguarded Copy functions. The Safeguarded Copy creates an immutable copy of the data in an air-gapped form on the same DS8000 system for isolation and eventual quick recovery. This document also explains the steps that are involved to enable and forward IBM DS8000 audit logs to IBM QRadar. It also discusses how to use create various rules to determine a threat, and configure and start a suitable response to the detected threat in IBM QRadar. Finally, this document explains how to register a storage system and create a Scheduled Task by using CSM.




Cyber Resiliency Solution using IBM Spectrum Virtualize


Book Description

This document is intended to facilitate the solution for Safeguarded Copy for cyber resiliency and logical air gap solution for IBM FlashSystem and SAN Volume Controller. The document showcases the configuration and end-to-end architecture for configuring the logical air-gap solution for cyber resiliency by using the Safeguarded Copy feature in IBM FlashSystem and IBM SAN Volume Control storage. The information in this document is distributed on an "as is" basis without any warranty that is either expressed or implied. Support assistance for the use of this material is limited to situations where IBM FlashSystem or IBM SAN Volume Controller storage devices are supported and entitled and where the issues are specific to a blueprint implementation.




Proactive Early Threat Detection and Securing Oracle Database with IBM QRadar, IBM Security Guardium Database Protection, and IBM Copy Services Manager by Using IBM FlashSystem Safeguarded Copy


Book Description

This IBM® blueprint publication focuses on early threat detection within a database environment by using IBM Security Guardium® Data Protection and IBM QRadar®. It also highlights how to proactively start a cyber resilience workflow in response to a cyberattack or potential malicious user actions. The workflow that is presented here uses IBM Copy Services Manager as orchestration software to start IBM FlashSystem® Safeguarded Copy functions. The Safeguarded Copy creates an immutable copy of the data in an air-gapped form on the same IBM FlashSystem for isolation and eventual quick recovery. This document describes how to enable and forward Oracle database user activities (by using IBM Security Guardium Data Protection) and IBM FlashSystem audit logs by using IBM FlashSystem to IBM QRadar. This document also describes how to create various rules to determine a threat, and configure and launch a suitable response to the detected threat in IBM QRadar. The document also outlines the steps that are involved to create a Scheduled Task by using IBM Copy Services Manager with various actions.




Early Threat Detection and Safeguarding Data with IBM QRadar and IBM Copy Services Manager on IBM DS8000


Book Description

The focus of this blueprint is to highlight early threat detection by IBM℗ʼ QRadar℗ʼ and to proactively start a cyber resilience workflow in response to a cyberattack or malicious user actions. The workflow uses IBM Copy Services Manager (CSM) as orchestration software to start IBM DS8000℗ʼ Safeguarded Copy functions. The Safeguarded Copy creates an immutable copy of the data in an air-gapped form on the same DS8000 system for isolation and eventual quick recovery. This document also explains the steps that are involved to enable and forward IBM DS8000 audit logs to IBM QRadar. It also discusses how to use create various rules to determine a threat, and configure and start a suitable response to the detected threat in IBM QRadar. Finally, this document explains how to register a storage system and create a Scheduled Task by using CSM.