Usage of Q Radar with Exasol customers

Team Exasol
Team Exasol

Hi community,

I recently had a talk with a prospect using IBM QRadar for monitoring its Oracle DB for suspicious user actions. I have not encountered this tool so far and was wondering if anyone of our community members might have some insights on QRadar in combination with Exasol!

Thanks for the insights!
Lennart

1 ACCEPTED SOLUTION

Xpert

Hi,

QRadar is nothing more than a SIEM.

So in terms of Oracle suspicious user behavior it relies on another IBM product Guardium which is a database access monitoring solution (DAM).

We had an POC a couple of years ago with various SIEM providers and if you don't want to drown in false positive messages you will have to go through a lot of customization of the inital rules and policies. There is currently no product I'm aware of that does not need a good security team to setup and run.

However SIEM solutions just react and aggregate events send to them and try to detect anomalies or check against polices.

In the case of QRadar and Guadium: Guardium sends the execute SQLs and session information from the Oracle database to QRadar solution and QRadar tries to analyse if this is a regular behavior for this database user.

This works very well for database of OLTP applications as the SQLs tend to be in a certain pattern.

If you run these solutions on data warehouse databases you will initial drown in false positives as it's rather common for DB Users to execute all kind of totally different SQLs.

As in Exasol it's not uncommon to have audit enabled it should be rather simple to forward this information to QRadar using custom scripts or programs.

On the end of the day you will however always need a team that constantly tunes and work on your SIEM solution.

 

 

 

 

 

View solution in original post

3 REPLIES 3

Xpert

Just noticed that this question was coming from Exasol. So we are not using QRadar and are currently most likely to choose Splunk SIEM or EXABeam.

However if Exasol wants to have QRadar support you would need to create a DSM (Device Support Module).

This is a rather straight forward process (https://developer.ibm.com/qradar/creating-custom-dsm/)

As Qradar can pull events from JDBC sources you could integrate the Exasol audit  rather easy.

 

PS: you even could try to use the oracle audit connector and create views on the exasol audit to match the field specifications that this DSM requires 

Xpert

Hi,

QRadar is nothing more than a SIEM.

So in terms of Oracle suspicious user behavior it relies on another IBM product Guardium which is a database access monitoring solution (DAM).

We had an POC a couple of years ago with various SIEM providers and if you don't want to drown in false positive messages you will have to go through a lot of customization of the inital rules and policies. There is currently no product I'm aware of that does not need a good security team to setup and run.

However SIEM solutions just react and aggregate events send to them and try to detect anomalies or check against polices.

In the case of QRadar and Guadium: Guardium sends the execute SQLs and session information from the Oracle database to QRadar solution and QRadar tries to analyse if this is a regular behavior for this database user.

This works very well for database of OLTP applications as the SQLs tend to be in a certain pattern.

If you run these solutions on data warehouse databases you will initial drown in false positives as it's rather common for DB Users to execute all kind of totally different SQLs.

As in Exasol it's not uncommon to have audit enabled it should be rather simple to forward this information to QRadar using custom scripts or programs.

On the end of the day you will however always need a team that constantly tunes and work on your SIEM solution.

 

 

 

 

 

View solution in original post

Team Exasol
Team Exasol

Thank you very much Charlie, that was very helpful 👌