Townsend Security Turns Over a New LEEF
November 18, 2015 Alex Woodie
Townsend Security‘s Alliance LogAgent software now speaks Log Event Extended Format (LEEF), a data format used by IBM‘s QRadar security information and event monitoring (SIEM) software. The two companies’ integration and development work will dramatically reduce the time spent training QRadar to understand security events happening on IBM i, says Townsend Security founder and CEO Patrick Townsend.
Practically every SIEM product on the planet supports the industry standard Syslog format. Townsend’s software can convert IBM i event data, such as events logged to the QAUDJRN, into the Syslog format so it can be consumed by 35 or so SIEMs and other network security devices that customers have used with it.
But as Townsend explains, there’s a big difference between compatibility and productivity.
“People who deploy these SIEM solutions have dozens to hundreds of different devices–firewalls, routers, PCs, Macs, servers of different kinds–and all those different types of events are going to the SIEM, which has to understand them and sort it out,” Townsend says. “People who deploy SIEM solutions spend a lot of time, sometimes months, training the SIEM solution to recognize the events and know how to interpret them.”
The QRadar team created the LEEF format to help shortcut that training cycle. By generating event data in the LEEF format (or converting it after the fact, as Alliance LogAgent does), the QRadar SIEM immediately knows what a given event means in the context of the server or device that sent it.
“QRadar has its own standard for data formats that it likes to receive. When it gets data in those formats, then it’s really happy and it works out of the box,” Townsend says. “We did the development work with QRadar, and the IBM QRadar team did development work, and the result is . . . that QRadar customers don’t have to spend this time saying ‘OK, this is a password failure from the IBM i server and it probably isn’t a good thing.'”
Townsend gives credit to IBM’s QRadar team for taking the time to understand the IBM i too, including what security events are important and how to rank the severity levels. “We had to work hand in hand with the QRadar team to implement support for it,” he says.
Big IBM i installations can generate upwards of 300 million log events per day, and not all of them are important. The most important events, from a SIEM and security point of view, are those “star security” events related to intrusion detection, password failures, and failure to issue Kerberos tickets. But there are others, Townsend says.
“There are certain events that you may like to know about that don’t fall into that [star security group] that may have security implications,” he says. “We tend to find most people are sending most of what they collect over to the SIEM solution, and let it do the filtering.”
Sending so much data to a SIEM used to be problematic, but the top SIEM products, such as QRadar, have bulked up and can cope with the data deluge, Townsend says. “Five years ago there were some SIEMs that could not keep up with the volume of events we were throwing at them,” he says. “But I think they have mostly handled that issue. I don’t see that as a problem anymore. Our customers are deploying a wide variety of products and they’re standing up to the volume.”
At the end of the day, the result of the partnership between Townsend Security and the IBM QRadar team is less integration work to do to get IBM i log data fed into the QRadar SIEM, and a better real-time security posture. “That’s what we’re achieving with QRadar: that immediate out-of-the-box recognition of what these events mean from a security point of view,” Townsend says.
With Alliance LogAgent acting as the translator, the IBM i server joins about 300 other devices that speak LEEF and work with QRadar without extensive integration and training. For more information on Alliance LogAgent, see www.townsendsecurity.com.