Welcome to the Secure-ISS Onboarding Guide for the Security and Event Monitoring Service. Use this guide as you navigate your way through the process over the coming weeks.
After executing contractual paperwork, the first deliverable will be the completion and return of the On-Boarding Documentation sent through by your Project Manager.
You will receive TWO important documents:
The documents contain sensitive information and should NOT be sent as email attachments. You will have received an invitation to our file sharing platform, Sharefile. This platform will be used for document exchange over the life of our engagement.
If you are nominating another person to assist with this documentation, please submit a request to soc@secure-iss.com to add this resource to the Sharefile Platform. We will need the name of the resource and his/her email address.
You may also receive a New Client Onboarding Form at this time, this document is more administrative in nature and contacts billing contacts, phone numbers and other information. This form may be retuned via email if convenient.
NOTE: The project cannot begin until at least the Network and VPN Documents are returned.
The first piece of technical work is the establishment of the VPN Tunnel between our environments. This work is dependent on the SOC_OnboardingDocument_Network and SOC_OnboardingDocument_VPN documents having been returned and verified.
One of our SOC Engineers will configure our end of the Tunnel to spec and then advise your technical contact when complete. Often, simply setting up your end to the same specs is enough to bring the tunnel up. If not, some co-operation may be required between Secure-ISS Engineers and your Engineering Contact.
The VPN Document will have the details needed to create the SOC Network VLAN on your end of the VPN Tunnel.
It is inside this VLAN that the SIEM Infrastructure will reside. The VLAN must be configured before we can move to phase 3.
Once the VPN Tunnel is up, you will be asked to prepare your environment for both the QRadar Appliance and the Incident Response Jumpbox. As both these Virtual Machines often reside on the same Hypervisor, it is common that they are done in parallel.
Using the Technical Details from the VPN Document, prepare your Hypervisor for QRadar Appliance Setup by allocating the appropriate Resources and by downloading the correct ISO Image Files to your environment. The process differs slightly depending on your Hypervisor Technology.
For Detailed Instructions for setting up the Appliance under Hyper-V Technology, click HERE
For Detailed Instructions for setting up the Appliance under Nutanix and VMWare Technology, click HERE
Regardless of which Hypervisor Technology you have implemented, the Secure-ISS Engineer will require a TeamViewer session with you to access the Hypervisor Console to complete the QRadar Host setup.
You can prepare by downloading TeamViewer from HERE
The Jumpbox provides Secure-ISS SOC Engineers access to the environment for the purposes of responding to Serious Incidents.
For Detailed Instructions for setting up the Jumpbox, click HERE
For the Secure-ISS Engineer to complete the Appliance Setup, you will need to make available a Windows Workstation that the Secure-ISS Engineer can access remotely. This workstation can be any machine, but it must meet the requirements below. It also must have access to the console of the Hypervisor the Appliance is to be installed on.
Once the Remote Workstation is ready, contact your SOC Onboarding Project Manager to schedule the SIEM Appliance Installation and Configuration.
It is common practice to allow communications between the SOC VLAN and other in-scope VLANs without too much restriction during the onboarding activities. This is to reduce issues related to connectivity that could delay the entre setup process.
Once the SIEM is in place and running smoothly, clients may wish to increase the level of Network Security involving the SOC VLAN.
Below are some guidelines to assist in this process but bear in mind every client network is unique and security requirements will vary.
Minimum Connectivity Requirements for Log Forwarding
Generally, if SOC VLANs are to be locked down, involve the Secure-ISS SOC so that some tests can be conducted to ensure that core SIEM functions are not broken when introducing security measures.
NOTE: Please ensure the network connectivity is configued for in scope VLANs to send WinCollect telemetry to the QRadar Host in the SOC VLAN. You can test your firewall rules using the PowerShell commands below.
Test-NetConnection -ComputerName <QRadarHost> -Port 514 -InformationLevel "Detailed"
Test-NetConnection -ComputerName <QRadarHost> -Port 8413 -InformationLevel "Detailed"
Before we start configurating Windows Machines to send logs to the QRadar SIEM, it is important we configure the Active Directory Domain Controllers (if any exist on prem) for Enhanced Auditing.
This is to provide the maximum level of granularity possible for logs to be gathered, ingested, and correlated. This is extremely important in the event of an incident or breach and can assist greatly in Incident Response and Forensics Activities.
For Detailed Instructions on how to configure your Active Directory Domain Controllers, click HERE
WinCollect is a software Agent used to collect and forward logs from Windows Machines to QRadar. All Windows servers in your environment that are to be monitored, will need to have the WinCollect and Sysmon agents installed.
First Steps - When it is time to onboard the Windows machines, your SOC Onboarding Project Manager will send you a Sharefile link to your WinCollect folder. In this folder you will find all the files you need for this step.
Network Share - First step is to save these files to a Network Share that your Windows machines have Read-Execute access to.
Test Group - Next, identify a small test group of 2 or 3 Windows machines. For these test machines, you can run the supplied batch file manually to test the files and installation process. Once you have done this, advise your SOC Onboarding Project Manager, who will confirm the test machines’ logs have arrived as intended.
Global WinCollect Rollout - Once your SOC Onboarding Project Manager confirms the logs look as they should, he will advise you to commence with the rollout of the remaining Windows servers at your convenience. You may use any centrally managed software installation solution you may have in place. Alternatively, you can use Active Directory and Group Policy to achieve this task.
Network Anomaly Detection has typically been a premium feature of SIEM solutions and often involves the installation of hardware appliances on the customers’ network. The implementation of this technology and associated hardware has traditionally raised the cost of SIEM technology significantly.
To meet the requirement to detect network anomalies without the associated hardware costs, Secure-ISS has developed a software-based sensor solution that will over time detect a wide range of network-based attacks.
For Detailed Instructions on setting up this component, click HERE
NOTE: The Network Anomaly Detection component is not a compulsory component, but it is advised that you adopt this piece of telemetry. It is also not necessary to do this right away and can be delayed to towards the end of the project. If this suits you, move on to Phase 7.
One of the most important sources of event logs is your Firewall. To configure your firewall to forward Event Logs to Secure-ISS you may need to consult your vendor user guide. Some of the more common Firewall user guides have been included here for your convenience.
As this is the vendor of choice for Secure-ISS, we have the most expertise with this device. As such, our instructions for configuring this Firewall are the most in depth.
For detailed setup instructions for Palo Alto Firewalls, click HERE
Many other Firewall Brands are successfully sending Event Logs to the Secure-ISS SIEM. These include CheckPoint, Fortinet, WatchGuard and SonicWall to name a few.
For some other commonly deployed Firewall Brands and Models setup guides, see this Wiki Article HERE or consult your own User Manual.
Now that all the Windows Servers and Firewall have been added to the deployment, you can now start to add the many other cloud sources of Event Logs to the solution. This is not an exhaustive list but is a collection of the most commonly added Cloud Log Sources.
O365 is an important and valuable source of data for Secure-ISS and the SOC. If you have an O365 Tenant, we strongly advise this be added to the deployment.
The setup requires some work at both ends but basically involves the configuration of your O365 Tenancy to generate some unique and secret API Keys and IDs, then forward this information securely to the SOC Onboarding Team.
For detailed set-up instructions for Office 365, please see the Wiki Article HERE
Google G-Suite is an important and valuable source of data for Secure-ISS and the SOC. If you have a Google G-Suite Subscription, we strongly advise this be added to the deployment.
The setup requires some work at both ends but basically involves the configuration of your O365 Tenancy to generate a unique Service Account ID and JSON File, then forwarding this information securely to the SOC Onboarding Team.
For detailed set-up instructions for Google G-Suite, please see the Wiki Article HERE
Sophos Central EDR is a good source of telemetry for the SIEM. To configure your Sophos Central Cloud service to send logs to the QRadar SIEM, you will need to log into the Sophos Central Customer Portal as administrator, retrieve some sensitive keys and send them back to Secure-ISS.
For detailed set-up instructions for Sophos, please see the Wiki Article HERE
NOTE: The Sophos Instructions cover 2 possible methods. Scroll down to the Sophos SIEM Integration Using API Credentials Sections and follow those instructions.
In addition to ingesting the Security Event Logs from the Operating System of your Servers, QRadar can also ingest Application Layer logs form the various Applications that run on your servers.
These logs can prove extremely valuable, particularly during forensic activities and incident response.
IBM lists many Application Logs and their configuration details, but you should look to prioritise the following, should you have them in your environment.
Microsoft Configuring Certificate Authority Auditing
Microsoft DHCP Server
Microsoft Exchange Server
Microsoft IIS Server
Microsoft DNS Debug
Microsoft SQL Server
NGINX
Apache
If there are any remaining Log Sources that you would like to configure these can now be done. They include devices including:
At this time, it is worth considering any Applications that may be able to forward logs. If the Application or device can forward syslog to an external IP, then it can likely be ingested by QRadar.
If you are unsure, please contact your SOC Onboarding Project Manager.