Gartner Publishes 2014 Magic Quadrant for SIEM

Gartner just published the 2014 SIEM Magic Quadrant and Critical Capabilities reports, and IBM Security QRadar is again positioned in the Leaders quadrant, this time better than ever.+

For the first time, IBM Security QRadar is positioned furthest to the right for vision and highest for ability to execute, which I believe makes us THE LEADER in this space. That means IBM Security is rated above:+

• HP+
• McAfee+
• Splunk+
• LogRhythm+
• EMC (RSA)+

…and every other vendor on “Ability to Execute” (the Y-axis) and “Completeness of Vision” (the X-axis). This represents overall viability, product/service, customer experience, market responsiveness, product track record, sales execution, operations and marketing execution.+

This recognition reflects the origins of QRadar, its growth as an independent company and the accelerated investments the IBM Security Systems division has made in the QRadar Security Intelligence Platform since it acquired Q1 Labs back in 2011. Case in point: In just the last 10 months, we’ve tightly integrated vulnerability management and network forensics technologies that double and triple down on the IT security team productivity enhancements — offense records — delivered by QRadar SIEM.+

Furthermore, this achievement especially reflects the positive experiences our clients report because no vendor is positioned highly without good customer references. We’re fortunate to have satisfied customers who will share their IT security objectives, deployment details, user experiences and more, helping to confirm the value of our module extensions and technology integration.+

The Magic Behind the Positioning of IBM as a Leader in Gartner’s 2014 SIEM Magic Quadrant

Every supplier will tell you they satisfy customer demand. But what customers need is a partner who delivers highly innovative solutions to problems they may not yet be aware of or in a way they had not considered, such as correlating network flows with log events and asset values and identity. We did that years ago, and we called it Security Intelligence. But customer after customer also tells me the same thing: We love QRadar because it does what you folks say it does, and it does it rapidly, dependably and easily.

According to this new Gartner Magic Quadrant report, Security Information and Event Management (SIEM) is a $1.5 billion market that grew 16 percent during 2013 and is expected to grow at a rate of 12.4 percent in 2014. The Leaders quadrant consists of vendors that deliver solutions that are a good match to general SIEM market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market and show evidence of superior vision and execution. I believe that IBM Security QRadar has done all of these things and far more, and my hat is off to this extremely talented, dedicated and hardworking team that has delivered outstanding solutions to our customers in this critical and strategic marketplace.+

Tracking historical logs in SIEM

We often have incidents that are reported for whatever reason after the DHCP lease has expired and the host has received a new IP address. For whatever reason, the host name isn't captured when its reported to the SIEM. 
What are some solutions you have seen used to track the historical IP address of a device when we might not have the host name? 
This seems like a common issue but I haven't seen any one method that works for all organizations. 
DHCP can be received from a network device or Microsoft Windows DHCP server so is the answer to track locally and send that information to SYSLOG?

Whatever your DHCP sources are, make sure you log them all, for all networks in scope. Make sure your log source timestamps reconcile with a common NTP source, and take in to account your various timezones if your network locations span multiple geographic regions.

Websense audit trail logs in QRadar

Websense uses their Multiplexer service to filter events from logs to generate Syslog events for QRadar (or any other SIEM). I do not know if the audit logs are exported or supported by the Multiplexer, as the audit logs are generated in HTML/Excel format.

If the Multiplexer service does not support audit logs, then existing Device Support Module (DSM) for Websense TRITON would need a protocol update to support a method retrieve and parse the events. The DSM would also require a review of the audit event format generated by Websense to ensure that they are parsed and categorized properly.

Can QRadar SIEM collects the Websense audit trail logs that shows which administrators have accessed TRITON - Email Security, as well as any changes made to policies and settings.

Link:http://www.websense.com/content/support/library/email/v76/esg_help/customizing_audit_log_explain_esg.aspx

We followed the dsm guide to collect the logs for websense, we are getting the application logs but not the Websense audit trail logs.

If Yes? Please share the detailed process.

Appreciate your help at the earliest.

Getting Started > The Email Security Gateway Dashboard > Viewing and... websense.com

Websense Email Security provides an audit trail showing which administrators have accessed TRITON - Email Security, as well as any changes made to policies and settings. This information is available only to Super Administrators. Monitoring..

How to Stop Cyber Attackers?

Business happens everywhere. Employees access applications from smartphones, and developers provision cloud resources on demand. Security must travel with the user and the data, especially outside the walls of the organization.

Instead of evolving their practices, organizations layer on more and more tools from multiple vendors, each one claiming to solve a new part of the problem. These isolated tools are unable to prevent new breeds of attack and can’t provide the security team a view of what’s going on across the enterprise.

Read full article