Friday, 27 April 2012 19:32 29721 Commenthttp%3A%2F%2Fblog.q1labs.com%2F2012%2F04%2F27%2Fibm-announces-network-threat-analytics-%25e2%2580%2593-purpose-built-for-ibm-network-ips%2FIBM+Announces+Network+Threat+Analytics+%E2%80%93+Purpose-Built+for+IBM+Network+IPS2012-04-28+00%3A32%3A52Michael+Applebaumhttp%3A%2F%2Fblog.q1labs.com%2F%3Fp%3D2972

Posted by Michael Applebaum in Network Intelligence, Security Intelligence, Threat Management

Earlier this week, IBM announced a network behavioral analysis (NBA) extension for its Network IPS offering which is based on the QRadar Security Intelligence platform.

Using advanced behavioral analytics and anomaly detection, the new QRadar Network Anomaly Detection appliance continuously analyzes network traffic in real-time — using deep packet inspection and passive monitoring of Layer 7 flow data, performed by QFlow and VFlow Collectors — to rapidly identify and prioritize advanced threats such as zero-day attacks and “low and slow” data breaches, as well as more common attacks such as botnets and other malware infections.

In addition, the new appliance correlates its own behavioral information about network activity with alerts and events from the IBM Security Network IPS console, IBM SiteProtector.  It also leverages contextual information – to aid in prioritizing the most critical threats – from additional sources including vulnerability assessments, user activity and identity information, and threat intelligence feeds.

By applying behavioral algorithms to network traffic data, the new appliance can immediately flag abnormal events such as:

• Outbound network traffic detected to regions where the company does not conduct any business.
• FTP traffic observed in a department that doesn’t regularly use FTP services.
• A known application running on a non-standard port, or in areas where it is not allowed (e.g. unencrypted traffic running in secure areas of the network).
• Hosts that are sending an abnormally high volume of packets, indicating a potential malware infection.

Prioritizing Threats and Gaining Greater Visibility

QRadar Network Anomaly Detection allows organizations to quantify multiple risk factors in order to evaluate the significance of a reported threat, such as the business value of targeted assets and any vulnerabilities that have been identified for those assets, such as missing patches.  It leverages core QRadar functionality – such as auto-discovery of assets, protocols and services – to provide a comprehensive asset profile database and real-time network view that is continuously updated based on passive monitoring of network flows, without consuming bandwidth or impacting the network infrastructure.

Integrating QRadar Network Anomaly Detection with IBM Network IPS also provides IBM Network IPS customers with enhanced visibility into their data via QRadar’s Big Data capabilities such as instant search (Google-like indexing across large volumes of unstructured data) as well as sophisticated network security dashboards and pre-configured compliance reports.

Upgradeable to Full QRadar SIEM

QRadar Network Anomaly Detection will be upgradeable to the full-blown SIEM capabilities provided by QRadar SIEM.  The full SIEM delivers additional capabilities including the ability to collect and correlate events from a wider range of sources such as firewall logs, Windows and Linux host logs, application logs, database activity monitoring and vulnerability assessment technologies such as IBM Guardium, and configuration/patch management systems such as IBM Security End-Point Manager (BigFix).  QRadar SIEM also offers a more comprehensive library of pre-configured correlation rules, dashboards and compliance reports.

Leverages X-Force Threat Intelligence

Like QRadar SIEM, the new appliance receives IP Reputation data from IBM X-Force research, providing insight into suspect entities from a massive URL database containing information about more than 15 billion Web pages and images – believed to be the world’s 2^nd largest URL database (after Google) –  which are monitored and classified on a continuous basis.

The X-Force feed provides QRadar Network Anomaly Detection with a list of potentially malicious IP addresses such as malware hosts, spam sources, anonymous proxies and other threats.  If the appliance sees any traffic to or from these sites, it can immediately alert the organization and provide rich contextual information about the observed activity.

SNORT Compatibility

IBM also announced the newest version of its Network IPS, which now provides hybrid protection combining the open source capabilities and common rule syntax of SNORT with the broad protection found in IBM’s Protocol Analysis Module (PAM).  This gives clients the ability to easily create and share custom IPS rules in a popular open source format while continuing to leverage IBM’s advanced network IPS capabilities.

Considered to be one of the industry’s most comprehensive threat detection engines, IBM’s PAM leverages packet, content, file and session inspection to go beyond the protection offered by traditional IPS technologies and defend against advanced threats such as browser attacks, data leakage and malicious web  applications.

Since PAM is a modular and extensible module that does not depend solely on signature detection, new security protections can be easily added over time.  For example, “shell-code heuristics” have been built into PAM to increase its ability to detect obfuscated or dynamic threats.

PAM is also fed updates from IBM X-Force, including protections for new vulnerabilities discovered by IBM’s X-Force R&D team as well as threat information obtained from the real-time monitoring of 12 billion security events per day and 20,000+ devices for IBM’s managed services clients in more than 130 countries worldwide.

IBM’s Vision for Advanced Threat Protection

This announcement demonstrates IBM’s commitment to evolving its IPS technology to provide advanced threat protection at the network layer, in combination with QRadar Security Intelligence and X-Force Threat Intelligence.  This vision will continue to be expanded and delivered over time.

To read the full press release of the announcement, click here.

To read a detailed blog posting describing the benefits of combining IPS with Security Intelligence, click here.