Category: Security Intelligence
Posted by Michael Applebaum in Cybersecurity, Q1 Labs, Security Intelligence, SIEM, Threat Management
Today, IBM announced the first major deliverable from the acquisition of Q1 Labs back in October – a new and dramatically enhanced QRadar Security Intelligence Platform. The new release combines deep analytic capabilities with real-time data feeds from hundreds of different sources to give organizations the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks.
This is exciting news for many reasons, including that QRadar continues to define the frontier of security intelligence, offering new capabilities for instant search, massive scalability and intelligent data policy management. In addition, QRadar will tap security analytics and threat intelligence from more than 400 sources. IBM X-Force, one of the world’s largest repositories of threat and vulnerability insights, provides an intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. This insight can flag behavior that may be associated with new and emerging threats, all in real-time. Whether it’s the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small.
To provide one example of how we’re bridging silos, consider the following scenario: An external attacker (or even an insider) compromises a number of user accounts, seeking access to a sensitive corporate database. After failing to login to the database with the first four accounts, he successfully logs in with the fifth account (a privileged user), downloads the organization’s customer list and emails it from the compromised account to a suspicious domain. Most organizations would struggle to piece together these actions into a cohesive picture of the attack and the impact, and almost certainly would not see it in real-time.
But with the combination of QRadar, IBM Guardium Database Security and IBM X-Force threat intelligence, the attack is detected and impact identified immediately. Guardium provides the continuous database monitoring and sends alerts to QRadar SIEM, which enriches the view of the incident with network flows and logs it has collected. It then observes activity involving an IP address (the receiving domain) that IBM X-Force has identified as suspicious. QRadar QFlow also provides insight into the content actually sent by the attacker, via deep packet inspection. And if the organization wanted to apply automated remediation to prevent the data exfiltration, it could even use QRadar to have the perimeter security devices block the data transmission. In sum, the incident is detected in real-time and the impact understood – or even prevented.
We view this as an important step forward in bridging security silos and applying greater intelligence and automation. What do you think?
For more information on today’s announcement, please see the press release here.
Posted by Melissa Stevens in Security Intelligence
Recently, Michael Applebaum, Director of Product Marketing at Q1 Labs, was interviewed for a post on Security Intelligence by Wes Simonds, a writer for the IBM Software blog. As you can imagine, in a company as large as IBM (offering thousands of solutions to a whole variety of business challenges), we encounter a lot of people who want to know more about the concept of Security Intelligence and have a lot of questions about exactly what it is we do here at Q1 Labs!
With that in mind, I’d like to share an excerpt from this short post that I think you’ll find fairly entertaining. After all, it’s not everyday that we get to hear about a grandma in an article about next-generation SIEM architectures.
Quite a few of today’s organizations could learn a little something about security from my grandmother — a thoughtful, yet paranoid creature who maintained a watchful vigilance over her home. I recall once she was going to Europe for two weeks. So, anticipating hordes of burglars, she developed an advanced domestic security architecture:
1. Data must be continually collected from many sources and analyzed for relevance, using proven heuristics
2. Point solutions like firewalls, though useful, are far from adequate by themselves
3. Proactive measures should be taken to address potential security gaps
4. Assets should be protected in proportion to their business value
5. Strategies spanning multiple domains should be pursued to maximize holistic security
6. Centralized oversight of those strategies will simplify and accelerate managementI believe quite a few IT security concepts can be extrapolated from this ad hoc architecture. Let’s go down that list and rephrase things a bit…
Perhaps this article can help you explain security intelligence and next-generation SIEM to your business and IT operations colleagues. Click here to read the full article. For more information on Security Intelligence, download our white paper, “The IT Executive Guide to Security Intelligence.”
Posted by Todd Harris in Security Intelligence, Webinars
Big data is still big, but looks a heck of a lot different than it has in the past.
For the previous ten years or so, “big data” growth has been defined using the three v’s: volume, velocity, and variety. From an IT security perspective, is there one of these traits that has the most impact? Could it be that the variety of new types of big data is causing most of the headaches for enterprise IT departments? Here are examples of new sources of big data and their impact on IT security departments.
Social Media
According to Q1 Labs’ CSO, Chris Poulin, the social media boom has resulted in two major challenges when it comes to enterprise IT security. In this Forbes article, he states that the first challenge is how to best keep networks safe from hackers utilizing spear-fishing techniques (or similar) to target employees and partners. The second challenge, most applicable to the topic of big data, is how to effectively detect network anomalies, considering the massive quantities and types of data generated by social media applications.
Electronic Health Records
As Healthcare organizations are gradually moving towards electronic patient health records (EHR), it not only demands compliance with HIPAA regulations, but it also presents an immediate leap of data volume and complexity. Why is it complex? Before EHR, patient data was stored in a room, in folders, on shelves. Usually only a handful of administrators would directly access the data for physicians. Now, with EHR in the mix, that same data is available to more people and regularly exchanged between partner health organizations. The chance of sensitive data loss and exposure is exponentially higher.
Given new types of big data resulting from sources including social media applications, credit card data storage (across many locations and providers), and electronic health records, IT departments everywhere are trying to wrap their heads around the best way to monitor and protect it all from internal and external threats.
QRadar operates at a big data scale, with real-time security analytics pin-pointing risks and providing actionable security intelligence. For example, one of our customers operates at a trance inducing 6 billion events per day and is able to isolate critical security information from the noise. Another customer, who happens to be a Fortune 100 energy company, uses QRadar to monitor 6 million card swipes per day and is able to detect 25-50 high priority offenses out of 2 billion daily events.
If I was big data, I’d feel a bit humbled right now.
Read more about security intelligence and be sure to register for our upcoming webcast on Febrary 22, with Dark Reading, titled “No One is Immune to Being Hacked. Strategies for Staying Out of the Headlines”.
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM
This morning I read an article on Computing.co.uk that asked, “How can organizations be prepared for cyber security incidents they can’t predict?”
I think this is a question a lot of CISOs ask themselves – and certainly, they should be. In the recent Data Protection & Breach Readiness Guide, published this January by the Online Trust Association (OTA), a key take away is “If a business collects data it will experience a data loss incident at some point.” That said, maybe you can’t predict how you will be breached, but it’s reasonable to assume that you will. This is the first step in a comprehensive network security strategy.
There are plenty of tools out there that can help analyze network configurations and identify the vulnerabilities that are creating entry points. You can run simulations and tests, hire white-hat hackers to break into your systems, and monitor network activity until you’re blue in the face. There are some breaches you can prevent, and there are some that you will never see coming.
The key is to have capabilities that will help you respond to the breach and limit your organization’s exposure as quickly as possible. How many horror stories have we heard over the past year of high profile breaches that lasted for months before they were spotted? How long did it take to find out what really happened? When breached, you immediately want to know who, what, when and how, so you can brief your constituents (customers, executives, board members, etc) about what has occurred along with your remediation plan. This is where Security Intelligence comes in.
A Security Intelligence solution like QRadar can help keep you safe. It can be a part of your walled fortress, collecting information from across your entire infrastructure and alerting you when anomalies occur or improper configurations create new vulnerabilities. But more importantly, it can act as a stop gap, the tool you use to help stop the ship from sinking. Knowing immediately that you have been breached and what has been compromised; knowing how the breach occurred and where it originated from; seeing where the information has been distributed, in real-time; all of this knowledge can help you respond and stop the threat from spreading further. And since it’s only a matter of time before a breach occurs, better response preparation could be the competitive advantage you’re looking for.
For more information about breach response best practices, please read Five Ways to Prepare for Your Data Breach. As always, share your comments and questions below!
Posted by Todd Harris in In the Industry, Security Intelligence
According to a recent tweet from the well known hacktivist group Anonymous, they are back in action and taking requests. Then again, they never really were out of action, but with all the SOPA, PIPA, and now ACTA debates lately, they are making their voice heard.
Anonymous has always been vocal on many social media sites, but has never actually opened up for requests. This brings the concept of being a “target of choice” to a whole new level, don’t you think? Before the public onslaught of hactivism over the past year or so, it was assumed that these decisions about “who to hack” were taking place covertly in the background via encrypted messages, IRC, forum threads, etc. While it certainly is intimidating for the organizations being called out, it gives others warning that they might not have had before.
Looking back a couple years, would you have predicted hactivist organizations exposing themselves on social sites such as Facebook, Twitter, and YouTube to gain a consensus on who their next target(s) should be?
The latest on Cyber Security