Category: Q1 Labs
As I sat down to watch the new James Bond film with my usual supplies of fizzy drinks and sugary sweets, I was very surprised when he decided to take on the cyber terrorist at large and solve the problem single-handedly, physically and without the need for a Security product in sight!
Of course we don’t all have our a secret agent in our organization, driving around eradicating danger. However, security teams can prepare and have clear flexible strategies in place to reduce risk on their network.
The premise of the film (spoiler alert) is a cyber terrorist getting into the British Secret Service network undetected and causing harm to key personnel. The clever methods used to infiltrate the network highlight what is happening on a daily basis to security teams globally, and though a great film, probably made many security personnel squirm slightly in their chairs when seeing the consequences that could occur!
From internal constraints to the rise of Advanced Persistent Threats (an ESG research report highlighted that 59% of enterprise organizations think they have been a target of on APT attack), the role of the security team is becoming ever more complex. The requirement for a clear security strategy, which is able to adapt and be flexible to an organization evolving needs, is vital.
In an exclusive webcast with Dark Reading on 12/13/2012 at 1200 ET Q1 Labs very own James Bond, Michael Applebaum and Jon Oltsik, Senior Principal Analyst at ESG will be presenting “Information Security in Transition: Top things to consider in 2013”. In this must attend event there will be recommendations on how to improve your organizations’ information security model and importantly key issues that you are likely to face in 2013.
If you don’t want to wait for our webcast to get this information, please download Jon Oltsik’s report “Enterprise Information Security in Transition”.
The worry to organizations however, is the number of these hackers who have never studied computer science but have an ambition to be a software developer and see it as a challenge to try to break into a businesses network undetected. Although this may seem an innocent personal challenge to them, this is ultimately aligned with greed and more often than not these people want to go for bigger and better.
Security teams need to be aware of methods to detect and instantly act upon this type of malicious hacking from so called “amateurs.” The IBM X-Force 2012 Mid-year Trend and Risk Report details the variety of attacks that a business could expect a hacker to use (read more here). A key point highlighted is the complexity of an organization’s network, moving from a traditional office only model to a world of interconnected devices and services. This has made it increasingly difficult to get a clear real-time snapshot of what is happening in the network, making it easier for amateur hackers to get in without raising any alarms.
In a recorded webcast with SCMagazine UK, Chris Poulin, IBM Security Systems Strategist details how to combat these young hackers, through QRadar’s anomaly detection capabilities and advanced forensic analysis, to quickly identify when a breach is occurring on your network. Click here to view.
With the release of QRadar Security Intelligence Platform 7.1, we’re excited to share with you a host of new advances to our family of Security Intelligence products – including QRadar SIEM, QRadar Log Manager and QRadar Risk Manager. These innovations are making it easier for users to leverage cloud investments, simplify management, collect and manage data more flexibly, and replicate or extend QRadar deployments. As a result, QRadar users will receive even greater insight and visibility, further reduce manual work and gain higher system performance. Let’s dive in!
Leverage Cloud Investments
We know many of you have built significant private and public cloud infrastructures and are looking for new virtual workloads to deploy in the cloud. With QRadar 7.1 you now have an additional type of appliance – the Event Collector – that you can deploy virtually, providing more ways to use your cloud environment to gain richer security intelligence.
Event collectors – which come in both virtual and hardware appliance form – provide continuous event logging capabilities, even when network connectivity is unreliable. They collect event logs and forward them to an event processor or all-in-one appliance for correlation, analysis and long-term storage. If network connectivity is lost, they can queue events in a storage buffer and then forward them upon re-connecting. (We call this “store and forward.”) In addition to serving locations with intermittent network connections (like naval vessels), event collectors are well-suited for collecting logs in distributed locations with low to moderate event volumes, such as retail stores and satellite offices. A large retailer, for example, might have hundreds of stores in which they want to collect event data, but the data generated in each location is modest enough that event processors (with terabytes of storage per appliance) aren’t required.
With this release, you now have access to a full complement of virtual appliances – console & all-in-one, event processor, flow processor, VFlow collector, and event collector – to best utilize your current and future cloud infrastructures. Even better, appliances can be mixed and matched among virtual appliance, hardware appliance and traditional software form factors, to meet your specific needs.
Simplify Management – Especially for Big Data
As we and others like Scott Crawford and Jon Oltsik have written, information security is truly a big data analytics challenge today. With its heritage in network flow collection and anomaly detection, QRadar has been collecting and correlating massive data sets in real-time since before big data became a white-hot phenomenon. Critical infrastructure and tier-one telecommunications providers, banks, and energy and utility companies are using QRadar to correlate as many as one million events per second (EPS) in real-time, thanks to QRadar’s purpose-built, embedded Ariel database. But with such massive data volumes come management challenges.
In response, we developed new Index Management capabilities in QRadar 7.1 that provide more refined data management and ultimately better performance. As the volume of stored data explodes, challenges inherent in querying big data become more pronounced – and so do the benefits of optimizing indexes for the queries most often run. QRadar’s default search indexes have always followed the 80/20 rule, providing out-of-the-box indexing for the most commonly used properties. Now we’re taking indexing a step further, enabling deep customization and tuning.
With QRadar 7.1, users have granular control over the creation of search indexes that enable speedy querying. While the fixed database indexing configuration that QRadar has historically provided works well for most scenarios, some clients would benefit from additional or different indexes. That’s why we added the ability to customize the indexing scheme for the event and flow database – so users can drop existing indexes to free up system resources or create new indexes to optimize the system for their specific needs.
QRadar also provides invaluable visibility into the use of indexes – with statistical reporting on the frequency of searches involving each property, how often each property’s index is used, and the size of each index – to help inform indexing decisions. This enables more efficient storage utilization and superior search performance.
Do you suspect one property is getting searched a lot? Get the data.
Do you wonder how big an index has grown? Find out.
Want to start indexing a custom property and see how often that index is used? No problem.
Another new capability that simplifies management is QRadar Risk Manager’s Enhanced Policy Monitoring. Risk Manager excels at monitoring network configurations and system vulnerabilities for potential security and compliance violations, and has always alerted when a policy is violated. Now it takes monitoring a step further with the ability to automatically notify when a policy is passed, providing positive evidence of compliance with external regulations and internal corporate policies. For example, you might want a positive notification when the percent of regulatory assets with Internet exposure vulnerabilities is within policy, or when the percent of regulatory assets with client side vulnerabilities that have communicated with the Internet is within policy. Now you can gain affirmative proof of such compliance.
Collect and Manage Data More Flexibly
QRadar 7.1 also offers new capabilities for collecting and managing data with greater flexibility. These include WinCollect – a versatile and scalable new QRadar capability for Windows event collection. WinCollect provides a superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect can use the Windows Event Log API to pull events from target systems and then forward them to QRadar, or use Windows event forwarding and allow target systems to automatically push events to it and then forward them to QRadar. WinCollect complements existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches, and native Windows Server capabilities. In a subsequent blog post, we’ll explain the advantages of each approach and the value of having a broad set of choices.
Event collectors (described earlier) also help simplify data collection and management, in addition to leveraging cloud infrastructure and enabling event collection under unreliable connectivity. To begin with, their ability to “store and forward” data not only applies when a network connection is lost; it can also be used proactively for policy-based event forwarding. In some cases, a remote location might have reliable but limited network bandwidth, and you might want to limit the collector’s use of bandwidth to specific (less busy) times. With QRadar 7.1, you can limit forwarding by bandwidth utilization (e.g., never consume >1MB/second), and/or set an hourly, daily or weekly forwarding schedule. In addition, event collectors can filter event data before it is forwarded for correlation, reporting and long-term storage.
Additionally, we have released more than a dozen new product integrations (device support modules) that enable users to normalize and analyze even more types of security telemetry. These include IBM Security zSecure Audit, which allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar (in addition to the native z/OS logs that QRadar already collects). We have also completed integrations with many third-party products, such as Verdasys Digital Guardian, AppSecInc DbProtect and Trend Micro Deep Discovery.
Build Extended Solutions and Replicate Existing Deployments
Lastly, we are enabling clients to build extended security intelligence solutions and replicate existing deployments. With Security Intelligence Content Importing/Exporting, you can export correlation rules, building blocks, reference sets, report templates, dashboard widgets and more from a QRadar system to an external device, and subsequently import them into another QRadar system. This enables quick deployment of a new QRadar system based on an existing system or template, as well as sharing of security intelligence content across systems.
We see this being used in several ways:
- Enabling clients to copy custom-built security intelligence content from one deployment to another (across business units or geographies)
- Enabling clients to copy content from a development or test environment to a production system
- Enabling solution providers and system integrators to build unique Security Intelligence intellectual property that they can distribute to their customers.
While QRadar already delivers thousands of rules, report templates, dashboard widgets and saved searches out-of-the-box, many business partners have additional expertise to offer to clients, and have been eagerly awaiting this capability.
To Learn More
With this hefty release completed, we’re gearing up to bring some fantastic new innovations to market in 2013. In the meantime, please try QRadar 7.1 for yourself and let us know what you think. We also encourage you to learn about the other IBM Security product releases just announced, which include capabilities for securing big data environments (including IBM InfoSphere BigInsights and Cloudera), risk-based access control for mobile users in BYOD environments, and privileged identity management.
To read more about using SIEM for targeted attack detection (APT’s), you can also download this Gartner report. Or see how organizations are using network flow analytics for better threat detection and network visibility with this Q1 Labs paper. Best wishes in your security journey!
With due deference to Oscar Wilde, companies are becoming increasingly ‘earnest’ in their approach to gaining greater intelligence about their security posture.
Media headlines have shown us over the past couple of years that there is an ever-increasing number of security breaches, and what has surprised many security experts is the variety and sophistication of these attacks.
The targeting of specific individuals and groups within an organization; aimed at compromising confidential information has led to security being not just an ad hoc topic in the boardroom but a “top of the agenda” discussion point.
The recent study “Finding a strategic voice” by IBM Center for Applied Insights revealed that over 2/3 of the security leaders interviewed, said their senior execs are paying more attention to security than two years ago and that there is an increased shift towards risk management, meaning organizations are focusing on being more proactive than reactive.
An interesting statistic by EU Justice Commissioner, Viviane Reading, at the Digital Life Design (DLD) conference in Munich Jan 2012, backed the importance of data protection: “In 1993, the Internet carried only 1% of all telecommunicated information. Today, the figure has risen to more than 97%”. This just shows how much easier it is for hacktivists to harness information and plan targeted attacks on a certain individuals online profile.
The need for long-term security strategies that allow organizations to harness their volumes of security-relevant information, has become ever more crucial. We call the product of these strategies ‘security intelligence’.
To help aid your organizations security strategy and provide learn real-world lessons about applying Security Intelligence and next-generation SIEM for threat protection, forensics and network visibility, Q1 Labs, an IBM Company, has two webcasts that you should attend:
Dark Reading Webcast:
“Gaining Insight and Visibility with Next-Generation SIEM: An End User Perspective”
12th September 1200-1300 ET
SC MAG UK Webcast:
“Avoiding the front page; Security strategies to stay out of the headlines”
26th September 1500-1600 GMT (1000-1100 ET)
Borrowing a line from Oscar Wilde’s immortal play: “To miss one of these webinars would be considered unfortunate, to miss both would be downright careless!”
There’s nothing more gratifying than getting positive feedback from the people whom you wake up every day to serve – your customers. That’s why we were thrilled when a new InformationWeek customer survey on the SIEM market was just published, with the headline “IT Rates IBM’s Q1 Labs Top SIEM Performer”. To be clear, this was not a “sponsored vendor test”, but was conducted independently of the vendors named.
Reflecting input from 300+ SIEM users in North America, this was a wide-ranging survey covering product capabilities, vendor support, cost of ownership and more. (Download the full report here.) If this were the Oscars, we’d be talking about a virtual sweep for Q1 Labs. Thank you, North America!
The report is overflowing with SIEM product and market insight, so let me highlight some of the more interesting findings.
Let’s get right to it: “Users and evaluators of IBM/Q1 Labs rated it [the] leader for overall performance.” As the report explains, these performance ratings are based on a set of 10 general criteria, including product reliability, product performance, flexibility, operation cost and many others.
Q1 Labs was also the highest rated vendor for product features, reflecting outstanding performance across 11 distinct categories. These include event correlation, real-time analysis for alerts, root cause analysis and investigation of archived logs, operational dashboard, and seven other sets of capabilities.
Who’s Who in SIEM
Of the 17 vendors InformationWeek asked users about, only 8 vendors received a sufficient number of responses (10% or more of total respondents) to be included in the results. The other 9 were dropped from consideration.
Vendors notably failing to make the cut include EMC/RSA, a legacy first-generation SIEM vendor, and McAfee/NitroSecurity, which claims to be an up-and-comer but only generated responses from a paltry 2% of customers.
Top Evaluation Criteria
The top three evaluation criteria according to customers are product reliability, product performance, and flexibility. In other words: Does the product deliver robust capabilities; can it be tailored for my specific needs; and can I rely on it?
Customers rated Q1 Labs as #1 in all three of these critical dimensions. QRadar’s flexibility is something in which we take particular pride, because many SIEM users say flexibility has more impact on their overall experience than anything else. They care about practical questions such as:
- How easily can you create or change a correlation rule or a report, to meet your particular business needs?
- How quickly can you adjust a log source integration module for an uncommon data source? (Most SIEM vendors would discourage users from even trying this themselves. We do not.)
- Can you easily upgrade a log management product to a full SIEM product – without buying new hardware, migrating to a completely different database, changing your architecture, or paying for expensive professional services?
- Is it possible to expand the scale of your deployment linearly by simply deploying more appliances – or do you need to re-architect the whole solution once you reach a certain scale (at considerable expense)?
We were proud that customers rated Q1 Labs higher than any other vendor on “Flexibility in meeting your organization’s needs.” This aspect of SIEM really matters.
Survey respondents also commented on the total cost of ownership for SIEM. While we take pride in QRadar’s advanced capabilities, our commitment to Intelligence, Integration and Automation isn’t just about building the most powerful analytics. It’s also about finding ways to make life easier for security and risk management professionals, which translates into lower operational costs.
We were grateful to see this reflected in the InformationWeek survey, where a broad cross-section of SIEM users rated Q1 Labs very highly on both acquisition cost and operation cost (meaning: offering an affordable cost).
Our decade-plus work to understand customers’ challenges with SIEM and related technologies has led to several innovations that simplify security operations:
- The unified architecture of the QRadar Security Intelligence Platform greatly enhances ease of use and lowers the total cost of ownership. By offering log management, SIEM, behavioral profiling & anomaly detection, network flow collection & analytics, and vulnerability & security configuration management in one modular platform, we follow the KISS Principle (Keep It Simple, Security pros!). Users don’t have to struggle with different user interfaces, databases, data taxonomies or administration requirements – weaknesses of many other SIEM products, especially legacy first-generation ones.
- Capabilities like automated discovery of log sources, applications and assets, and auto-grouping of assets, save users time upfront and on an ongoing basis.
- Embedded security knowledge in the form of thousands of pre-defined rules, reports and searches that help users share insight faster with their colleagues and auditors.
The next most important criterion for customers, according to the survey, is quality of postsales support. Again, IBM/Q1 Labs was honored with the highest rating of any vendor. Q1 Labs has always held a deep commitment to client success, and frankly our customer support team are some of the most capable and dedicated professionals you’ll ever work with. This note from a Q1 Labs customer to a Q1 Labs business partner crossed my inbox just last week, and adds a personal perspective to the survey discussion:
“Just want to send you a special thanks for recommending QRadar SIEM. It’s much better than [competitor product] which we had for years. It gives us a lot more visibility into our network and security environment. It has even accomplished several of our custom requirements since it was deployed just a month ago. In my own experience, the Q1 Labs support is very knowledgeable too, easy to get a hold of, always trying to help, and very fast to escalate to the developers if the support people don’t have the solution.”
In my next post, I’ll share more insights from the InformationWeek customer survey, including detailed findings about the vendors’ product features and customers’ reasons for switching vendors. Stay tuned!
PS: See related post about why IBM/Q1 Labs was chosen as a Leader in the most recent Gartner Magic Quadrant for SIEM.