Login

Author Archive

Thursday, 29 March 2012 11:06 No Comments

Know Your Users: Using QRadar SIEM for User Activity Monitoring

Posted by Michael Applebaum in Cybersecurity, Network Intelligence, SIEM, Threat Management

You know that QRadar SIEM excels at collecting, correlating and reporting on unusual activity, but have you ever wondered how it performs user activity monitoring?  Or what value this would have for your organization?

In this new 8-minute YouTube demo, we look at how the integration of identity and access management data enables real-time user activity monitoring.  We show how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.

What value would user activity monitoring provide?  You might care about a number of use cases:

  • A terminated employee taking action on your network (if terminated, how is he or she still on your network?)
  • A privileged employee accessing databases she doesn’t usually access (is she performing malicious activity? was her account compromised by an attacker? or did her responsibilities just change?)
  • Is an employee from one geography, who does not travel for business, seen performing activity in a different geography?  (was his account taken over?)
  • Is a contractor accessing a database or application that he doesn’t require for his job?  Can he be trusted?  do his actions require closer monitoring?
  • And many more exmples specific to your business.

Without a SIEM solution that can correlate identity and access management data with network activity in real time, most organizations would miss these risks.  But QRadar provides the visibility to know whenever a user performs activity that is risky or abnormal.  Whether you want to be alerted to security and risk incidents in real-time or view automated reports periodically, QRadar makes it easy to take a proactive stance toward user risks and improve your security posture.

For more information, visit the Q1 Labs Resource Center today.


Monday, 26 March 2012 08:33 No Comments

Clients Reveal the Meaning and Value of Security Intelligence

Posted by Michael Applebaum in Cybersecurity, In the Industry, Security Intelligence

We’ve written extensively in this blog about what Security Intelligence means in concept and practice.  As a new solution category, it benefits from wide discussion and exploration.  My colleague Chris Poulin recently shared Security Intelligence insights from a client and partner panel he moderated at IBM Pulse 2012, where Security Intelligence was a pervasive theme.  In this post, I’ll share a few more data points I picked up from clients at Pulse who discussed what Security Intelligence means and the business value they’re obtaining from it.

One panel discussion included the information security executive of a major media company, the global head of IT security at a global manufacturer, and IBM’s own Vice President of IT Risk, Kris Lovejoy.

The opening question – “What is Security Intelligence?” – elicited some interesting views:

  • The ability to learn something germane and relevant at the time you need to make a decision.  (Media co. exec)
  • It’s less about the technology and more about the destination.  Understanding the different threats, instrumenting our architecture in a way that is consumable and actionable.  (Lovejoy)

And my personal favorite:

  • Knowing what the hell is going on!  (Manufacturing co. exec)

The last comment really speaks to the pain experienced by security, risk and IT executives who are wrestling with an explosion of threats, limited visibility and information silos that are tough to bridge.  (Not to mention fixed/shrinking budgets.)  Who doesn’t worry about what’s taking place out of sight in their organization?

Kris Lovejoy also shared a deeper insight about the impact of Security Intelligence:

Viewing Security Intelligence as a destination brings along a new way of thinking.  Security Intelligence can be an effective marketing tool internally.  You start to think about security differently and strategically.

This is powerful.  Security Intelligence is not just a set of technologies, processes, or even the insights resulting from them.  It’s also an approach – one focused on up-leveling the security and compliance conversation, focusing on end goals (especially stretch goals), and delivering greater value to both IT and the Line of Business.

An answer to the next question – “How do you justify security investments?” – also emphasized the need to tie security and risk initiatives back to business value:

Focus on business outcomes that are made possible through the investments.  (Manufacturing co. exec)

In other words, what supply chain initiatives are you enabling through careful security controls?  What cloud services are you making possible through policies, controls and monitoring?  And ideally, are you leveraging your security investments to gain tangible insights that drive revenue opportunities?

One client who presented at Pulse is doing just that, leveraging his Security Intelligence solution to gain Business Intelligence.  This security executive from a financial services firm is not only using Security Intelligence to detect fraud (as Chris Poulin describes), but also to pinpoint commercial customers whose business has started to decline.  Because his Security Intelligence solution is easily customizable, he uses it to identify falling sales volumes as easily as fast-rising ones.  They feed this information to their Sales team in real-time, who reach out to those customers and can often reverse the negative trend, making a meaningful impact on the company’s bottom line.

In fact, the business insights produced by the Security Intelligence solution are so valuable that this company’s executive team specifically praised the IT Security organization’s work during one of the company’s recent earnings conference calls.  Imagine becoming a hero to your CEO.

Last, I wanted to share the panelists’ perspectives on where the IT security and risk field is headed.  In response to the question “What will be different about security in five years?”, they shared the following:

  • We won’t need so much audit preparation effort.  The information will just be there, accessible. (Media co. exec)
  • The bulk of the organization will focus on risk management and business processes, not compliance.  (Lovejoy)

Again, note the themes of information visibility and better connecting IT Security with the Line of Business.

To sum up what I heard from clients at Pulse:  Security and risk executives are pursuing Security Intelligence initiatives to raise enterprise-wide visibility, gain actionable and tailored information, and transform security and risk management from a tactical pursuit to a strategic initiative driving bottom-line business value.

For help with your own Security Intelligence journey, be sure to check out this comprehensive Resource Center.


Monday, 5 March 2012 11:58 No Comments

Getting Proactive with Security Intelligence: QRadar Risk Manager Raises the Bar

Posted by Michael Applebaum in Risk Management, Security Intelligence, Threat Management

Building on the momentum of our latest QRadar SIEM and QRadar Log Manager release just two weeks ago, we are excited to announce a new release of QRadar Risk Manager that adds several highly anticipated enhancements.  As a refresher, QRadar Risk Manager is the member of the QRadar Security Intelligence Platform that provides pre-exploit configuration monitoring and attack simulation.  These proactive capabilities help identify security gaps and prevent security breaches and compliance violations before they occur, providing a perfect pairing to the advanced analytics, detection and reporting of QRadar SIEM.

The new configuration monitoring and management capabilities make it easier than ever to strengthen perimeter security and improve network visualization:

Normalized rule and security device comparison allows users to compare rules and object groups across the same security device type (historical comparisons, for example), as well as across differing device types. For example, users can compare the configuration of all of their Internet firewalls, regardless of brand, helping them ensure that all firewalls are configured consistently. QRadar Risk Manager provides views that quickly and easily identify which rules have been added and deleted, highlighting object group changes between devices.

Topology visualization enhancements improve the overall usability of the product by allowing users to hover over interfaces to quickly view connection and interface details. This saves time by removing the need to “drill down” to view this information. This release also provides the ability to quickly save and retrieve saved searches, plus comprehensive path filtering options that include the ability to filter on multiple criteria. The release further adds improved path visualization capabilities, including arrows that indicate path direction and hover options that display partially allowed path information (such as specific ports). Users can also drill down from a hover window to view firewall rules that enable a given path, with a single click.

Firewall rule counting and event association is a powerful feature that associates firewall “accept” and “deny” events with specific firewall rules. Users can now report on most, least and never used rules, aiding in firewall optimization by identifying and eliminating rules that are no longer needed. The ability to drill down from a rule to specific firewall events that triggered it aids with rule forensics, such as detecting what traffic has been allowed by a rule, and where the traffic originated.  This helps diagnose traffic issues and assists in determining the impact of rule changes before those changes are made. Liberal rules, such as “any port” and “any destination,” can be easily restricted without the fear of blocking critical traffic.

Shadowed rule detection is a highly requested feature that allows detection of rules that are “over-shadowed” by previous rules that contradict or render them ineffective.  This feature reduces excessive firewall overhead and unforeseen security exposures. QRadar Risk Manager now allows users to identify and report on shadowed rules, allowing them to be easily fixed. A hover-over interface also allows the user to instantly view shadowed rule information without the need to drill down.

Firewall rule searching enhancements now allow users to search on time intervals, include or exclude different rule types, and refine results based on rule usage. Results may be sorted by a variety of options, including device rule order.

We are very excited about this release and the many other capabilities planned for the next few months.  For more information about QRadar Risk Manager and QRadar SIEM, we invite you to read the white paper “Five Practical Steps to Protecting Your Organization Against Breach.”

And if you are at IBM Pulse, be sure to stop by the Security and Compliance section of the Solution Expo to say hello and learn more!


Wednesday, 22 February 2012 11:57 1 Comment

Bridging Silos, Sharpening Analytics: The Advance of Security Intelligence

Posted by Michael Applebaum in Cybersecurity, Q1 Labs, Security Intelligence, SIEM, Threat Management

Today, IBM announced the first major deliverable from the acquisition of Q1 Labs back in October – a new and dramatically enhanced QRadar Security Intelligence Platform. The new release combines deep analytic capabilities with real-time data feeds from hundreds of different sources to give organizations the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks.

This is exciting news for many reasons, including that QRadar continues to define the frontier of security intelligence, offering new capabilities for instant search, massive scalability and intelligent data policy management. In addition, QRadar will tap security analytics and threat intelligence from more than 400 sources. IBM X-Force, one of the world’s largest repositories of threat and vulnerability insights, provides an intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. This insight can flag behavior that may be associated with new and emerging threats, all in real-time.  Whether it’s the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small.

To provide one example of how we’re bridging silos, consider the following scenario:  An external attacker (or even an insider) compromises a number of user accounts, seeking access to a sensitive corporate database.  After failing to login to the database with the first four accounts, he successfully logs in with the fifth account (a privileged user), downloads the organization’s customer list and emails it from the compromised account to a suspicious domain.  Most organizations would struggle to piece together these actions into a cohesive picture of the attack and the impact, and almost certainly would not see it in real-time.

But with the combination of QRadar, IBM Guardium Database Security and IBM X-Force threat intelligence, the attack is detected and impact identified immediately.  Guardium provides the continuous database monitoring and sends alerts to QRadar SIEM, which enriches the view of the incident with network flows and logs it has collected.  It then observes activity involving an IP address (the receiving domain) that IBM X-Force has identified as suspicious.  QRadar QFlow also provides insight into the content actually sent by the attacker, via deep packet inspection.  And if the organization wanted to apply automated remediation to prevent the data exfiltration, it could even use QRadar to have the perimeter security devices block the data transmission.  In sum, the incident is detected in real-time and the impact understood – or even prevented.

We view this as an important step forward in bridging security silos and applying greater intelligence and automation.  What do you think?

For more information on today’s announcement, please see the press release here.


Tuesday, 10 January 2012 11:00 No Comments

Success at Scale: A Q1 Labs Hallmark

Posted by Michael Applebaum in Critical Infrastructure, Security Intelligence

Following their widespread adoption, SIEM and log management solutions have become a staple of many organizations’ security and compliance practices.  They are relied on to protect against countless security and compliance risks.  But there’s a big difference between monitoring the network of a midsize business and those of Fortune 500 organizations.  Q1 Labs not only delivers economical solutions for the former, but also scalable and resilient solutions for the latter.

Image attribution: http://bit.ly/xrutn9 under http://bit.ly/r9ywD2

This is no small feat when you’re talking about a magnitude of well over 100,000 events per second, all correlated in real-time – a volume many Q1 Labs customers are achieving with the QRadar Security Intelligence Platform.  Run out the math and you find this is billions of events per day.  How exactly does QRadar enable success at scale?

Let’s scratch the surface of QRadar’s keys to success:

  • Scalability. QRadar’s distributed, federated database architecture allows it to monitor, correlate and store the highest data volumes in real time, without filtering out data or skipping correlation, as some other products do.
  • Search Performance. High-performance indexing and search provides incredibly fast access to enterprise networking and security data. Applying Internet search engine technology, QRadar tames big data.
  • Customization Ability. Although QRadar ships with thousands of out-of-the-box rules, report templates and dashboards, it is also highly customizable, meeting the needs of multi-divisional and multi-national organizations.
  • Expansion and Upgrade Ability. The distributed appliance approach allows an organization to start with a small, mid-sized or large deployment, and add new processing capacity or functional capabilities on the fly.  The architecture and size of a QRadar deployment can grow organically and don’t face major constraints.
  • High Availability. Q1 Labs provides a turnkey solution for high availability, taking the guesswork, risk and complexity out of HA, so customers can focus on their security operations, not IT infrastructure.

These capabilities are further explained and a series of customer case studies are presented in a new Q1 Labs brochure on “Success at Scale.” As a sneak preview, consider the following portrait of a Fortune 5 energy company:

Business Challenge: This company needed to ensure compliance with PCI-DSS, NERC and numerous regulations in other countries. At the same time, it needed to monitor and analyze an average of 2 billion logs daily to protect itself from numerous security threats.

Q1 Labs Solution: The business addressed its regulatory compliance and security needs by deploying QRadar SIEM and QRadar QFlow using 30 appliances globally. By correlating events, network activity (flows), asset information and configuration data, the solution intelligently identifies 25-50 high priority offenses out of 2 billion daily events, utilizing 40 TB of aggregate storage. It serves 100 security users across four groups, while protecting 10,000 network devices, 10,000 servers and 80,000 user endpoints. Major technologies protected by QRadar include products by Oracle, SAP, Cisco and Juniper. The customer also uses QRadar to monitor 6 million card swipes per day for PCI compliance and ensures the security of SCADA systems for NERC compliance.

Read the brochure today to gain insight on more of the world’s largest and most successful Security Intelligence deployments.


« PREVIOUS ENTRIES