Category: Network Intelligence
Mining Big Data for Better Security Intelligence
Today, IBM Security Systems announced a “Breakthrough with Combination of Security Intelligence and Big Data – Data Analytics Helps Organizations Hunt for Cyber Attacks.” By combining the worlds of business and security intelligence, organizations have the ability to analyze data in new ways resulting in the ability to detect threats that they would have previously missed and react faster with more accurate and timely results. Sandy Bird, CTO for IBM Security Systems, wrote an interesting blog post on this topic where he talks about how the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Excerpt from the IBM Smarter Planet Blog:
Over the years the game of cat and mouse between attackers and people tasked with defending networks against their advances has evolved to become increasingly more complex. Every new advance in defensive technologies has forced attackers to adopt new tactics, and every new attack technique has produced a new security start-up. The result of this game has been that some of the most diligent and advanced security organizations in the world have deployed over 60 different security products, products that infrequently communicate with one another. Unfortunately, this has not proven a sustainable long-term approach to the security challenge as attacks have become more complicated, difficult to detect and even far reaching. Realistically, we can’t rely on any single product to be successful 100% of the time. The question is, if we understand the realities associated with perfection, why do we continue to embrace strategies that seem to rely on products being successful in isolation?
We need a different, foundational approach to the security challenges associated with sophisticated attackers….the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Read Sandy’s full post on the IBM Smarter Planet Blog for answers to questions like “How to identify and combine those subtle data indicators of an attack?” and “Does a security strategy need to change just because another piece was added to the puzzle?”
If you are interested in learning more about IBM Security Intelligence for Big Data be sure to check out:
VIDEO The Role Big Data Plays in Solving Complex Security Problems
INFOGRAPHIC on A Big Data Approach to Security Intelligence
IBM Security Systems website: For access to more product information, white papers and more
With the release of QRadar Security Intelligence Platform 7.1, we’re excited to share with you a host of new advances to our family of Security Intelligence products – including QRadar SIEM, QRadar Log Manager and QRadar Risk Manager. These innovations are making it easier for users to leverage cloud investments, simplify management, collect and manage data more flexibly, and replicate or extend QRadar deployments. As a result, QRadar users will receive even greater insight and visibility, further reduce manual work and gain higher system performance. Let’s dive in!
Leverage Cloud Investments
We know many of you have built significant private and public cloud infrastructures and are looking for new virtual workloads to deploy in the cloud. With QRadar 7.1 you now have an additional type of appliance – the Event Collector – that you can deploy virtually, providing more ways to use your cloud environment to gain richer security intelligence.
Event collectors – which come in both virtual and hardware appliance form – provide continuous event logging capabilities, even when network connectivity is unreliable. They collect event logs and forward them to an event processor or all-in-one appliance for correlation, analysis and long-term storage. If network connectivity is lost, they can queue events in a storage buffer and then forward them upon re-connecting. (We call this “store and forward.”) In addition to serving locations with intermittent network connections (like naval vessels), event collectors are well-suited for collecting logs in distributed locations with low to moderate event volumes, such as retail stores and satellite offices. A large retailer, for example, might have hundreds of stores in which they want to collect event data, but the data generated in each location is modest enough that event processors (with terabytes of storage per appliance) aren’t required.
With this release, you now have access to a full complement of virtual appliances – console & all-in-one, event processor, flow processor, VFlow collector, and event collector – to best utilize your current and future cloud infrastructures. Even better, appliances can be mixed and matched among virtual appliance, hardware appliance and traditional software form factors, to meet your specific needs.
Simplify Management – Especially for Big Data
As we and others like Scott Crawford and Jon Oltsik have written, information security is truly a big data analytics challenge today. With its heritage in network flow collection and anomaly detection, QRadar has been collecting and correlating massive data sets in real-time since before big data became a white-hot phenomenon. Critical infrastructure and tier-one telecommunications providers, banks, and energy and utility companies are using QRadar to correlate as many as one million events per second (EPS) in real-time, thanks to QRadar’s purpose-built, embedded Ariel database. But with such massive data volumes come management challenges.
In response, we developed new Index Management capabilities in QRadar 7.1 that provide more refined data management and ultimately better performance. As the volume of stored data explodes, challenges inherent in querying big data become more pronounced – and so do the benefits of optimizing indexes for the queries most often run. QRadar’s default search indexes have always followed the 80/20 rule, providing out-of-the-box indexing for the most commonly used properties. Now we’re taking indexing a step further, enabling deep customization and tuning.
With QRadar 7.1, users have granular control over the creation of search indexes that enable speedy querying. While the fixed database indexing configuration that QRadar has historically provided works well for most scenarios, some clients would benefit from additional or different indexes. That’s why we added the ability to customize the indexing scheme for the event and flow database – so users can drop existing indexes to free up system resources or create new indexes to optimize the system for their specific needs.
QRadar also provides invaluable visibility into the use of indexes – with statistical reporting on the frequency of searches involving each property, how often each property’s index is used, and the size of each index – to help inform indexing decisions. This enables more efficient storage utilization and superior search performance.
Do you suspect one property is getting searched a lot? Get the data.
Do you wonder how big an index has grown? Find out.
Want to start indexing a custom property and see how often that index is used? No problem.
Another new capability that simplifies management is QRadar Risk Manager’s Enhanced Policy Monitoring. Risk Manager excels at monitoring network configurations and system vulnerabilities for potential security and compliance violations, and has always alerted when a policy is violated. Now it takes monitoring a step further with the ability to automatically notify when a policy is passed, providing positive evidence of compliance with external regulations and internal corporate policies. For example, you might want a positive notification when the percent of regulatory assets with Internet exposure vulnerabilities is within policy, or when the percent of regulatory assets with client side vulnerabilities that have communicated with the Internet is within policy. Now you can gain affirmative proof of such compliance.
Collect and Manage Data More Flexibly
QRadar 7.1 also offers new capabilities for collecting and managing data with greater flexibility. These include WinCollect – a versatile and scalable new QRadar capability for Windows event collection. WinCollect provides a superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect can use the Windows Event Log API to pull events from target systems and then forward them to QRadar, or use Windows event forwarding and allow target systems to automatically push events to it and then forward them to QRadar. WinCollect complements existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches, and native Windows Server capabilities. In a subsequent blog post, we’ll explain the advantages of each approach and the value of having a broad set of choices.
Event collectors (described earlier) also help simplify data collection and management, in addition to leveraging cloud infrastructure and enabling event collection under unreliable connectivity. To begin with, their ability to “store and forward” data not only applies when a network connection is lost; it can also be used proactively for policy-based event forwarding. In some cases, a remote location might have reliable but limited network bandwidth, and you might want to limit the collector’s use of bandwidth to specific (less busy) times. With QRadar 7.1, you can limit forwarding by bandwidth utilization (e.g., never consume >1MB/second), and/or set an hourly, daily or weekly forwarding schedule. In addition, event collectors can filter event data before it is forwarded for correlation, reporting and long-term storage.
Additionally, we have released more than a dozen new product integrations (device support modules) that enable users to normalize and analyze even more types of security telemetry. These include IBM Security zSecure Audit, which allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar (in addition to the native z/OS logs that QRadar already collects). We have also completed integrations with many third-party products, such as Verdasys Digital Guardian, AppSecInc DbProtect and Trend Micro Deep Discovery.
Build Extended Solutions and Replicate Existing Deployments
Lastly, we are enabling clients to build extended security intelligence solutions and replicate existing deployments. With Security Intelligence Content Importing/Exporting, you can export correlation rules, building blocks, reference sets, report templates, dashboard widgets and more from a QRadar system to an external device, and subsequently import them into another QRadar system. This enables quick deployment of a new QRadar system based on an existing system or template, as well as sharing of security intelligence content across systems.
We see this being used in several ways:
- Enabling clients to copy custom-built security intelligence content from one deployment to another (across business units or geographies)
- Enabling clients to copy content from a development or test environment to a production system
- Enabling solution providers and system integrators to build unique Security Intelligence intellectual property that they can distribute to their customers.
While QRadar already delivers thousands of rules, report templates, dashboard widgets and saved searches out-of-the-box, many business partners have additional expertise to offer to clients, and have been eagerly awaiting this capability.
To Learn More
With this hefty release completed, we’re gearing up to bring some fantastic new innovations to market in 2013. In the meantime, please try QRadar 7.1 for yourself and let us know what you think. We also encourage you to learn about the other IBM Security product releases just announced, which include capabilities for securing big data environments (including IBM InfoSphere BigInsights and Cloudera), risk-based access control for mobile users in BYOD environments, and privileged identity management.
To read more about using SIEM for targeted attack detection (APT’s), you can also download this Gartner report. Or see how organizations are using network flow analytics for better threat detection and network visibility with this Q1 Labs paper. Best wishes in your security journey!
Earlier this week, IBM announced a network behavioral analysis (NBA) extension for its Network IPS offering which is based on the QRadar Security Intelligence platform.
Using advanced behavioral analytics and anomaly detection, the new QRadar Network Anomaly Detection appliance continuously analyzes network traffic in real-time — using deep packet inspection and passive monitoring of Layer 7 flow data, performed by QFlow and VFlow Collectors — to rapidly identify and prioritize advanced threats such as zero-day attacks and “low and slow” data breaches, as well as more common attacks such as botnets and other malware infections.
In addition, the new appliance correlates its own behavioral information about network activity with alerts and events from the IBM Security Network IPS console, IBM SiteProtector. It also leverages contextual information – to aid in prioritizing the most critical threats – from additional sources including vulnerability assessments, user activity and identity information, and threat intelligence feeds.
By applying behavioral algorithms to network traffic data, the new appliance can immediately flag abnormal events such as:
- Outbound network traffic detected to regions where the company does not conduct any business.
- FTP traffic observed in a department that doesn’t regularly use FTP services.
- A known application running on a non-standard port, or in areas where it is not allowed (e.g. unencrypted traffic running in secure areas of the network).
- Hosts that are sending an abnormally high volume of packets, indicating a potential malware infection.
Prioritizing Threats and Gaining Greater Visibility
QRadar Network Anomaly Detection allows organizations to quantify multiple risk factors in order to evaluate the significance of a reported threat, such as the business value of targeted assets and any vulnerabilities that have been identified for those assets, such as missing patches. It leverages core QRadar functionality – such as auto-discovery of assets, protocols and services – to provide a comprehensive asset profile database and real-time network view that is continuously updated based on passive monitoring of network flows, without consuming bandwidth or impacting the network infrastructure.
Integrating QRadar Network Anomaly Detection with IBM Network IPS also provides IBM Network IPS customers with enhanced visibility into their data via QRadar’s Big Data capabilities such as instant search (Google-like indexing across large volumes of unstructured data) as well as sophisticated network security dashboards and pre-configured compliance reports.
Upgradeable to Full QRadar SIEM
QRadar Network Anomaly Detection will be upgradeable to the full-blown SIEM capabilities provided by QRadar SIEM. The full SIEM delivers additional capabilities including the ability to collect and correlate events from a wider range of sources such as firewall logs, Windows and Linux host logs, application logs, database activity monitoring and vulnerability assessment technologies such as IBM Guardium, and configuration/patch management systems such as IBM Security End-Point Manager (BigFix). QRadar SIEM also offers a more comprehensive library of pre-configured correlation rules, dashboards and compliance reports.
Leverages X-Force Threat Intelligence
Like QRadar SIEM, the new appliance receives IP Reputation data from IBM X-Force research, providing insight into suspect entities from a massive URL database containing information about more than 15 billion Web pages and images – believed to be the world’s 2nd largest URL database (after Google) – which are monitored and classified on a continuous basis.
The X-Force feed provides QRadar Network Anomaly Detection with a list of potentially malicious IP addresses such as malware hosts, spam sources, anonymous proxies and other threats. If the appliance sees any traffic to or from these sites, it can immediately alert the organization and provide rich contextual information about the observed activity.
IBM also announced the newest version of its Network IPS, which now provides hybrid protection combining the open source capabilities and common rule syntax of SNORT with the broad protection found in IBM’s Protocol Analysis Module (PAM). This gives clients the ability to easily create and share custom IPS rules in a popular open source format while continuing to leverage IBM’s advanced network IPS capabilities.
Considered to be one of the industry’s most comprehensive threat detection engines, IBM’s PAM leverages packet, content, file and session inspection to go beyond the protection offered by traditional IPS technologies and defend against advanced threats such as browser attacks, data leakage and malicious web applications.
Since PAM is a modular and extensible module that does not depend solely on signature detection, new security protections can be easily added over time. For example, “shell-code heuristics” have been built into PAM to increase its ability to detect obfuscated or dynamic threats.
PAM is also fed updates from IBM X-Force, including protections for new vulnerabilities discovered by IBM’s X-Force R&D team as well as threat information obtained from the real-time monitoring of 12 billion security events per day and 20,000+ devices for IBM’s managed services clients in more than 130 countries worldwide.
IBM’s Vision for Advanced Threat Protection
This announcement demonstrates IBM’s commitment to evolving its IPS technology to provide advanced threat protection at the network layer, in combination with QRadar Security Intelligence and X-Force Threat Intelligence. This vision will continue to be expanded and delivered over time.
To read the full press release of the announcement, click here.
To read a detailed blog posting describing the benefits of combining IPS with Security Intelligence, click here.
You know that QRadar SIEM excels at collecting, correlating and reporting on unusual activity, but have you ever wondered how it performs user activity monitoring? Or what value this would have for your organization?
In this new 8-minute YouTube demo, we look at how the integration of identity and access management data enables real-time user activity monitoring. We show how QRadar can identify risky or abnormal activity of user groups such as employees with privileged access, contractors, or terminated employees.
What value would user activity monitoring provide? You might care about a number of use cases:
- A terminated employee taking action on your network (if terminated, how is he or she still on your network?)
- A privileged employee accessing databases she doesn’t usually access (is she performing malicious activity? was her account compromised by an attacker? or did her responsibilities just change?)
- Is an employee from one geography, who does not travel for business, seen performing activity in a different geography? (was his account taken over?)
- Is a contractor accessing a database or application that he doesn’t require for his job? Can he be trusted? do his actions require closer monitoring?
- And many more exmples specific to your business.
Without a SIEM solution that can correlate identity and access management data with network activity in real time, most organizations would miss these risks. But QRadar provides the visibility to know whenever a user performs activity that is risky or abnormal. Whether you want to be alerted to security and risk incidents in real-time or view automated reports periodically, QRadar makes it easy to take a proactive stance toward user risks and improve your security posture.
For more information, visit the Q1 Labs Resource Center today.
If you missed our February 22nd webinar with Dark Reading, or attended live but still have questions, this is for you. Of course, you can watch the whole event in its entirety here. During the event, we covered a fair amount of ground, talking through some of the larger attacks of 2011 while noting the varied attack types and motivations that powered them.
Questions started flying when we began talking about security intelligence use cases and strategies to prevent being hacked. We touched on the following use case topics: network activity, application detection and forensic evidence, data leakage, insider fraud, user behavior monitoring, and advanced persistent threats (APT). Not only was network activity flow the common thread between all of these topics, but also in the questions we received. Since these questions were common amongst all of our attendees, we thought we would share some of the questions and answers with you.
QUESTION: Does network flow capability come with your SIEM? Or is it a separate add-on?
ANSWER: The ability to process flow records from standard formats such as NetFlow, JFlow, and SFlow are supported by default. If you would like to go deeper than the layer4 information of these flow technologies and go to layer 7 with content capture, then QRadar’s QFlow technology provides this functionality. This feature can be built into an appliance or for larger deployments as an optional add-on.
QUESTION: I already monitor NetFlow traffic. How is what you do with flows different?
ANSWER: NetFlow provides useful information such as source and destination IP, source and destination ports, and packet and byte count. QRadar QFlow’s deep packet inspection provides the ability to identify traffic up layer 7 (application layer) and also provides content capture capabilities. This means QRadar can identify applications regardless of port (many applications use dynamically allocated ports or tunnel over port 80). For example, QFlow can detect social applications like Facebook, Myspace, and Twitter; in addition to port-independent applications like VoIP and BitTorrent. QRadar QFlow can also detect traffic over non-standard ports (i.e. SSH over port 5000). QRadar QFlow also provides content capture capabilities. That is, when a flow is session is captured the header information and a user-specifiable amount of content after that is captured. For example, we can detect the file transferred across the network (i.e. customerinfo.doc, creditcard.xls).
QUESTION: Are there some sources that you can’t pull data from in a network? Do we have to manually add in some?
ANSWER: QRadar has the best auto-identification of log sources in the industry and can normalize most major devices automatically. If it creates logs, then QRadar can accept or collect logs from that device. If QRadar does not recognize the device logs a straightforward built-in mechanism within QRadar can be used to create custom parsers.
QUESTION: Do you have any pre-built templates and rules for meeting compliance regulations? Or is scripting required?
ANSWER: QRadar has pre-built compliance templates and reports. Scripting is not required.
If you’re interested in learning more about the value of flows and how to get more out of SIEM, you can watch our on-demand webcast “Getting More out of SIEM: How to Use Flows To Better Detect Threats and Simplify SIEM”. This webcast shows a live demo and talks more about the value of correlating flows.
Have more questions? Need further explanation? Feel free to email us at firstname.lastname@example.org or just post them below.