SIEM replacement - QRadar considerations

Data gateway

In the Splunk platform, an intermediate forwarder can queue data and send it to the cloud, similar to how a QRadar data gateway functions. Splunk platform forwarders are better able to scale vertically with pipelines, making it a more flexible architecture. Discuss this use case carefully, including the pros, cons, and security concerns if any.

Event and flow collectors

When discussing data requirements within the context of the SIEM Use Case Development Workshop, be sure you discuss both traditional log events and network/flow data. They are collected separately in a QRadar implementation, and it's important to understand that the Splunk platform captures data differently to ensure nothing is missed. You might need to collect some data via UF/Syslog, other data via Stream/HTTP event collector, or some other method. This should all be captured and documented in the architecture plan.

Event and flow processors

In QRadar, rules are applied before data is stored on their data nodes, whereas the Splunk platform applies rules and detections at search time, leaving raw data untouched. As you plan for data processing within the context of the Splunk platform and Splunk Enterprise Security, ensure that you document required technical add-ons to be installed on the ES search head to achieve Common Information Model (CIM) compliance.

Data nodes

Data nodes are the equivalent of Splunk indexers, but typically the Splunk platform does not store normalized data, as it does most data normalization at search time. As you discuss Splunk architecture within the context of the SIEM Use Case Development Workshop, ensure you make sizing and architecture recommendations appropriately, to accommodate expected data volume, as well as data redundancy and clustering requirements. Additionally Splunk indexers can be unlimited in number and are used to improve search performance, similar to QRadar data nodes.

Data stores

While the Splunk platform has the capability to search across Splunk indexers, it can scale much farther, as it has the capability to search across multiple external locations, for example, using federated search across S3 buckets. As you work through a SIEM Use Case Development Workshop, be sure to identify all applicable data sources, even if they are within external locations that are not currently being sent to QRadar data stores.

Console

Splunk Enterprise Security (ES) is equivalent to the QRadar console, a user interface that security analysts utilize to interact with the systems. It provides access to dashboards, reports and real-time views to monitor and investigate security alarms. Be sure you understand your standard operating procedures for incident response and triage, and determine what, if any, circumstances might be needed for the ES application. This might take the form of custom workflow actions, investigation workbench customization, incident review settings, and more. Document anything that might need to be customized or extended within ES.

Rules and offenses

QRadar uses rules and “building blocks” to define conditions that, when met, trigger an offense (a potential security incident). These are equivalent to ES correlation searches. However, we do not recommend a “lift and shift” approach of QRadar detections to ES correlation searches. As you perform the use case workshop portion of the SIEM Use Case Development Workshop, ensure you capture all business requirements and security monitoring objectives, and take a requirements-based approach to building Enterprise Security use cases.

Throughout this phase, it is also important to draw a distinction between two types of correlation searches: risk rules (narrowly defined detections, capturing single indicator events), and risk notables (correlations across risk rules/index that, when triggered, would be representative of a potential security incident). This distinction comprises the key components (among others) of ES that make up the risk-based alerting concept.

Reference data sets

Reference data sets are the equivalent of lookups (csv or kvstore collection). As you work through the SIEM Replacement Workshop, ensure you capture all enrichment requirements you have, and document any that are not currently a core out-of-the-box function of Splunk Enterprise Security. ES contains a number of out-of-the-box lookups/trackers such as access trackers and protocol trackers, in addition to a Threat Intelligence framework. Be sure to clarify when an out-of-the-box lookup or tracker can meet the requirements of their security monitoring program objectives. In addition, be sure to document any threat intelligence you currently use, so it can be emulated within the ES Threat Intelligence framework.

Assets and identities

Like Splunk Enterprise Security, QRadar integrates with asset and identity data to provide context to security events. As you work through the SIEM Use Case Development Workshop, ensure you document all sources of relevant asset and identity data. Start with the main source of truth, and add additional enrichment sources (vulnerability data, CMDB, etc) that might be relevant and provide contextual value. These can be configured directly in Splunk Enterprise Security, and will be merged into a single kvstore collection for assets and another for identities.

Custom properties

QRadar offers custom field extractions and apps beyond what is extracted and normalized at event processing time to extend the information associated with events, flows, or offenses. Throughout the use case workshop portion of the engagement, be sure to fully understand your use cases to determine whether any additional data extraction might be required, beyond what is provided by Splunk-supported technical add-ons.

Reports and dashboards

Like Splunk Enterprise Security, QRadar provides reporting and dashboard capabilities to visualize and analyze security data. Document all your dashboarding and reporting requirements, and note which of those are not currently met by out-of-the-box dashboarding and reporting capabilities within Splunk Enterprise Security. ES provides a number of out-of-the-box dashboards and reports, which might or might not meet your security monitoring requirements.

IBM Cloud Pak for Security

The IBM Cloud Pak for Security is similar to Splunk Mission Control. However, it is deployed on-prem, used as SaaS, private cloud, or public cloud, while Splunk Mission Control is cloud only. If this is applicable to you, note how you use this tool and how it will apply to ES and Mission Control functionality.

Behavioral detections

QRadar has behavioral detection capabilities, including the following:

• User Behavioral Analytics: Discover deviations across normal user behavior
• Entity Behavioral Analytics: Monitor behavior of devices, services, applications, etc. for deviations from normal behavior
• Insider Threat Detection: Discover employees or other insiders that pose a potential threat to the organization

If you leverage QRadar’s behavioral detection capabilities, be sure to discuss these within the context of the SIEM Use Case Development Workshop. As with correlation search discovery, it is important to identify and document your business requirements for behavioral detections and determine how to solve for these requirements within Splunk Enterprise Security. Splunk User Behavior Analytics might be required as part of your Splunk architecture, but a number of these should be able to be addressed using MLTK and standard deviation methodology within Splunk ES.