Townsend Security Turns Over a New LEEF

November 18, 2015 Alex Woodie

Townsend Security‘s Alliance LogAgent software now speaks Log Event Extended Format (LEEF), a data format used by IBM‘s QRadar security information and event monitoring (SIEM) software. The two companies’ integration and development work will dramatically reduce the time spent training QRadar to understand security events happening on IBM i, says Townsend Security founder and CEO Patrick Townsend.

Practically every SIEM product on the planet supports the industry standard Syslog format. Townsend’s software can convert IBM i event data, such as events logged to the QAUDJRN, into the Syslog format so it can be consumed by 35 or so SIEMs and other network security devices that customers have used with it.

But as Townsend explains, there’s a big difference between compatibility and productivity.

“People who deploy these SIEM solutions have dozens to hundreds of different devices–firewalls, routers, PCs, Macs, servers of different kinds–and all those different types of events are going to the SIEM, which has to understand them and sort it out,” Townsend says. “People who deploy SIEM solutions spend a lot of time, sometimes months, training the SIEM solution to recognize the events and know how to interpret them.”

The QRadar team created the LEEF format to help shortcut that training cycle. By generating event data in the LEEF format (or converting it after the fact, as Alliance LogAgent does), the QRadar SIEM immediately knows what a given event means in the context of the server or device that sent it.

“QRadar has its own standard for data formats that it likes to receive. When it gets data in those formats, then it’s really happy and it works out of the box,” Townsend says. “We did the development work with QRadar, and the IBM QRadar team did development work, and the result is . . . that QRadar customers don’t have to spend this time saying ‘OK, this is a password failure from the IBM i server and it probably isn’t a good thing.'”

Townsend gives credit to IBM’s QRadar team for taking the time to understand the IBM i too, including what security events are important and how to rank the severity levels. “We had to work hand in hand with the QRadar team to implement support for it,” he says.

Big IBM i installations can generate upwards of 300 million log events per day, and not all of them are important. The most important events, from a SIEM and security point of view, are those “star security” events related to intrusion detection, password failures, and failure to issue Kerberos tickets. But there are others, Townsend says.

“There are certain events that you may like to know about that don’t fall into that [star security group] that may have security implications,” he says. “We tend to find most people are sending most of what they collect over to the SIEM solution, and let it do the filtering.”

Sending so much data to a SIEM used to be problematic, but the top SIEM products, such as QRadar, have bulked up and can cope with the data deluge, Townsend says. “Five years ago there were some SIEMs that could not keep up with the volume of events we were throwing at them,” he says. “But I think they have mostly handled that issue. I don’t see that as a problem anymore. Our customers are deploying a wide variety of products and they’re standing up to the volume.”

At the end of the day, the result of the partnership between Townsend Security and the IBM QRadar team is less integration work to do to get IBM i log data fed into the QRadar SIEM, and a better real-time security posture. “That’s what we’re achieving with QRadar: that immediate out-of-the-box recognition of what these events mean from a security point of view,” Townsend says.

With Alliance LogAgent acting as the translator, the IBM i server joins about 300 other devices that speak LEEF and work with QRadar without extensive integration and training. For more information on Alliance LogAgent, see www.townsendsecurity.com.

Townsend Delivers Fine-Grained IBM i Log Data to SIEMs

Tags:

Sponsored By
UNITED COMPUTER GROUP, INC.

UCG VAULT400 BaaS Clients have it ALL!

You can't say your data protection is complete until you have a disaster recovery plan that is itself complete and tested.

        • Secure cloud backup and disaster recovery
        • Hardware DR
        • Cyber security training
        • 19 data centers across the U.S. and Canada
        • 24 x 7 x 365 monitoring
        • Supports all platforms and databases
        • The latest in IBM Power Systems
        • An excellent client experience each and every time

HOW MUCH CONFIDENCE DO YOU HAVE IN YOUR CURRENT DATA BACKUP,
DR AND CYBER SECURITY PROGRAMS?

Consider these best practices when evaluating data backup, DR, and cyber security options:

1. RELIABILITY. Up to 71% of restores from tape contain failures. Best Practice: Use disk-to-disk technology for backups. With disk-to-disk technology, your backup data resides on disk drives, proven to be far more reliable than tapes. When your backup completes, you know the data is secure and accessible on the disk drive. With tapes you never really know if your data is usable until you try to restore it, at which point it's too late.

2. BREADTH OF OFFERING. Choice in product and service offerings meet your business' needs. Best Practice: Don't settle for less than what you need. Vendor offerings vary widely. Some are designed primarily for consumers and others for enterprise data centers. Choose a solution that scales (see scalability below), and offers the features you need to provide the level of service you expect. De-duplication and delta-block technologies will improve performance, reduce your data footprint and save you money. Find out if their de-duplication offering is at the file level or the block level. Make sure the solution can back up servers, PCs, and laptops as well your applications.

3. SECURITY. 60% of organizations using tapes don't encrypt their backups. Best Practice: End-to-end encryption with no "back door." Using encryption with tape makes backups run slowly and often takes too long to fit within a backup window. As a result, most people simply turn encryption off, creating a security risk. Even with the physical safety of disk-to-disk backup, encryption is essential. Look for 256-bit AES. Find a solution that encrypts your data during transmission and storage. Make certain there isn't a "back door" that would let someone else view your data.

4. CYBER SECURITY. More than 80% of U.S. companies have been successfully hacked, according to a recent Duke University/CFO Magazine Global Business Outlook Survey. Best Practice: Regular cyber security training and phishing tests for all employees using company email are essential to your organization. Your end-users are the weak link in your network security. Today, your employees are frequently exposed to advanced phishing attacks. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack. Be sure your vendor of choice includes cyber security training as part of their backup and DR package.

5. Accessibility. Companies waste thousands of hours waiting on tapes. Best Practice: Ensure that you can get your data back with minimal delay. You should have direct access to your backups, with no time spent on physical transport (no trucks, no warehouses). Your restores should take minutes, not hours or days. Set yourself up to work with your data, not wait for it. Make sure your solution provider can meet your Return-to-Operations (RTO) and Recovery Point Objectives (RPO) which determine how quickly you can recover your data and maintain business continuity. Inquire about onsite and offsite replication that provide both improved performance and a solid disaster recovery strategy.

6. Scalability. Some backup systems can't scale readily. Best Practice: Invest in a data protection architecture that can grow with your business. You should be able to back up your data no matter how large it grows. Starting small? Look for an option that handles your backups automatically. Then, as you grow, gives you tools to manage complex environments. Look for "changes-only" and compression technologies to speed backups and save space. And insist on bandwidth throttling to balance traffic and ensure network availability for your other business applications. Make sure that their solution offerings rely on common technology to scale easily as your business--and data--grow.

7. Cost-effectiveness. Companies lose an average of $84,000 for every hour of lost activity. Best Practice: Calculate the true total cost of tape-based back up. When you do the math, the dollars make sense: Go with disk-to-disk. Unlike tape, there are close to zero handling costs-no rush deliveries, loading, accessing, locating, or repeated steps. And there's one benefit you can't factor directly: Reputation. Reliability and security can make an incalculable difference with just one avoided breach or failure.

8. Compliance. Most companies have problems satisfying privacy, security, and data retention regulations. Best Practice: Choose a data protection partner who has deep know-how about compliance, and the technology to ensure it.

9. Disaster Recovery. Most companies lack a comprehensive, tested plan for disasters. Best Practice: Find a vendor that delivers a complete DR solution. You can't say your data protection is complete until you have a disaster recovery plan that is itself complete and tested. Your backup vendor should have both the product mix and professional services team to help you prepare for a worst-case scenario. Make sure they can help configure your backups so you rebound quickly. Best bet: A vendor who can train you to deal with disasters confidently, based on your company's actual configuration.

10. Ease-of-Use. Some companies don't--or can't--manage their backups from one place. Best Practice: Get control and reporting you can use anywhere, with ease. Managing your backup environment should be simple, and the software you use should eliminate any guesswork that could lead to lost data. You should know at all times if your data is protected across your entire network-including remote offices-by simply looking at a dashboard. The software should be simple to configure using wizards, yet powerful enough to meet your specific needs with customizable views, job propagation, and roles-based security.

11. Operating System and Platform Support. Most backup vendors support a limited range of OS, server types, and applications. Best Practice: Look for broad and deep technology that supports your complete environment. Your backup solution should accommodate your environment, not vice versa. Demand a single solution to protect your laptops, desktops, and servers regardless of the platform and applications they're running. Beyond the broad claims, check the fine print, and the level of protection offered for applications such as Exchange. For example, can they restore individual mail messages or contacts, and can they support Exchange running on a Microsoft Cluster?

12. Customer Support. Backup vendors' product support varies widely. Best Practice: Find a vendor whose support is passionate, maybe even slightly obsessed. Customer support should be one of your vendor's main selling points. You shouldn't have to wonder if they'll be there to help when you need them most. Do they offer phone support or email only, and who exactly are you talking to when you call that 800 number? Find a vendor that will treat your data as if it were their own.

13. Reputation. Does your backup vendor have a quality reputation and the financial resources to stay in business for the long haul? Best Practice: Find a vendor with strong financial backing and customer references. There are a lot of vendors that have come and gone. When you consider a service provider, look for one that has strong financial backing, a solid business plan and the ability to be in business as long as your data needs to be stored. Ask for customer references and case studies as their customers are the best validation you can get.

DOWNLOAD A PDF OF THIS ARTICLE:
BEST PRACTICES FOR BACKUP AND RECOVERY

Connect with us on our social networks!

You can find us on Google+, LinkedIn, Twitter, Facebook, and YouTube.

For more information or to schedule a demonstration on UCG's products and services,
please visit us at ucgrp.com/Talk2Us or call 800.211.8798.

Browse our Resource Libraries for important information and downloads!
UCG VAULT400 BaaS Resource Library
UCG S2K Enterprise Management Software (EMS) Resource Library

ucgrp.com • vault400.com

Technology customized to your business, today and in the future.