IBM Security QRadar SIEM and Sourcefire Defense Center
IBM QRadar Security Intelligence Platform integrates with Sourcefire Defense Center to
help customers with their most challenging use cases.
QRadar SIEM provides
• Integrated log, threat, compliance management
• Asset profiling and flow analytics
• Offense management and workflow
QRadar SIEM allows single pane troubleshooting of issues to create a Security
Operations Center. Its powerful rules engine correlates data, detects anomalies and
generates a manageable list of the highest priority risks requiring forensic investigation
and remediation. QRadar SIEM derives value by working with best of breed products.
Sourcefire Defense Center provides QRadar with a rich source of contextual data, that
can be correlated with other data sources and used by our out of the box rules and reports
Sourcefire Defense Center, (now known as the FireSIGHT Management Center) unifies
the critical security functions of the Sourcefire next-generation network security
platforms using FireSIGHT real-time awareness and security automation technology to
collects information about intrusion events, network devices, applications, and identities.
Real-time awareness technology provides the network intelligence and contextual
awareness you need to respond to changing conditions and threats. The visibility and
automation that this provides make networks more secure and reduces operational costs.
QRadar can automatically collect detailed Sourcefire event data using the powerful
Sourcefire eStreamer Application Program Interface (API).
Network and security professionals can choose to forward any of the following
Sourcefire event types to their QRadar platform:
 Intrusion events
 Impact flag alerts
 Intrusion event packet datae
 Real-time network awareness events
 Real-time user awareness events
 Compliance and white list events
The following use cases are examples of how QRadar can leverage the value of Defense
Center which customers have already invested and deployed throughout their
infrastructure. IBM Security QRadar and Cisco combine to enable customers to reach
compliance and security goals, and reduce the risk and severity security breaches.
1. Detect an exploit on Windows servers
IBM Security QRadar SIEM and Sourcefire Defense Center
Sourcefire detects Zotob on the network as it attempts to spread and exploit more
hosts. An alert is passed to QRadar where analysts can check for anti-virus alerts
across all servers in the environment, (even those not covered by Sourcefire Sensors)
and determine the extent of the problem
2. Early warning of an attack on a vulnerable asset
Intrusion events generated by Snort can be correlated against Real-time Network
Awareness’ host profiles to determine if the attack has the potential to compromise
the host. This correlation results in Sourcefire scoring intrusion events with an
‘Impact Flag’. These Impact flag events are then compared against QRadar asset
information to confirm vulnerability based on the most recent scan. A rule finds there
was a connection and an authentication event from the attacker IP address to the
vulnerable target. An offense is created based on QRadar’s assessment that there is a
high likelihood of the attack being successful and exploited.
3. Fraud prevention
A new peer-to-peer service is seen on the network from a number of associated with
servers for data base applications. Peer-to-peer is not supported in this part of the
network and Sourcefire Defense Center sends an alert to QRadar. QRadar notifies
the network administrator who investigates. The user was not aware of any P2P
usage so the administrator treats it as a covert channel, removes it, and deletes a
directory of hacker tools that were updated the day before. The administrator creates
a rule to generate identify a covert channel and generate an offense in the future.
These examples show how QRadar can leverage the value of best of breed products you
have already invested in throughout your infrastructure and combine that to enable you to
reach compliance and security goals.
Integrating Sourcefire with QRadar enables total visibility into everything on your
network across the enterprise, including physical and virtual hosts, operating systems,
applications, services, protocols, users, content, network behavior, as well as network
attacks and malware to address complex security threats.