Copyright 2017 CyberX Ltd. All Rights Reserved. www.cyberx-labs.com 1

CyberX ICS Threat Monitoring App

for QRadar

Version: 2.2.7

July 2017

Copyright 2017 CyberX Ltd. All Rights Reserved. www.cyberx-labs.com 2

Overview The CyberX ICS Threat Monitoring App for QRadar enables security operations teams to investigate advanced threats to their Operational Technology (OT) networks, including targeted attacks, industrial malware and malicious insiders. By using the CyberX ICS Threat Monitoring App, cyber security experts can now leverage QRadar to manage security events across their organizational industrial environments, regardless of the various technologies used within the industrial environment or its topology. CyberX’s industrial cybersecurity platform combines deep understanding of industrial protocols (e.g., DNP3, Modbus, Siemens S7, OPC, etc.) with continuous monitoring and anomaly detection using proprietary, ICS-specific behavioral analytics. The analytics are enriched by ICS-specific threat intelligence curated by CyberX’s threat research team. The CyberX App for QRadar presents a unified timeline view of all ICS real-time alert events, separated by type of alert. The platform harnesses five different analytics engines to identify various types of anomalous activity including: cyber anomalies, known malware, protocol violations, operational anomalies, and policy violations. Users can forward alerts to QRadar based on severity level, type of alert, and specific protocols. They can then correlate information from CyberX’s real-time alerts with other information contained in QRadar, such as logs collected from OT systems and devices. CyberX can be rapidly deployed by connecting the platform (virtual or physical) to a SPAN port or TAP. It uses a non-invasive approach with zero impact on OT networks that requires no configuration (not dependent on rules or signatures). Analysts can use a range of built-in data mining tools for forensics and threat hunting, and drill-down to full-fidelity PCAPs for further investigation and correlation with other data. A rich API is also provided for custom integrations.

Prerequisites IBM QRadar 7.3.0 or newer. Supported Browsers:

• Chrome (Verified on 56.0.x)

• IE (IE10 or later) Logs from CyberX Platform 2.2.7.39 or later.

Copyright 2017 CyberX Ltd. All Rights Reserved. www.cyberx-labs.com 3

Configuration Configure notification in CyberX Platform:

Note – The protocols and engines shown are only a sample of the CyberX Platform capability, for

additional information please refer to the CyberX Platform.

Display Dashboard Main Dashboard:

The main windows show the events, which are filtered according to different analytics engines

(Anomaly, Malware, Protocol Violation, Operational, and Policy Violation) and by time.

Copyright 2017 CyberX Ltd. All Rights Reserved. www.cyberx-labs.com 4

The dashboard includes various widgets:

• Weekly Events Summary displays the number of events per day

• Top Events displays the top 5 alerts, allowing for further investigation

• CyberX Appliances displays the various CyberX platforms deployed within the

industrial environment, forwarding events and pinpointed insights to QRadar. In

distributed environments, this configuration allows to perform complete security

event management for the entire industrial environment.

Troubleshooting If no data is displayed, this means that no data was found for the specified time range. In

this case simply adjust the specified time range or validate that the CyberX platform is

Copyright 2017 CyberX Ltd. All Rights Reserved. www.cyberx-labs.com 5

sending information to QRadar by examining Log Activities in QRadar, and filtering for

CyberX as the log source. In case further troubleshooting is required please examine

/var/log/qradar.error and send any suspicious errors to cs@cyberx-labs.com.