Category: SIEM
Posted by Michael Applebaum in Cybersecurity, Q1 Labs, Security Intelligence, SIEM, Threat Management
Today, IBM announced the first major deliverable from the acquisition of Q1 Labs back in October – a new and dramatically enhanced QRadar Security Intelligence Platform. The new release combines deep analytic capabilities with real-time data feeds from hundreds of different sources to give organizations the ability to help proactively protect themselves from increasingly sophisticated and complex security threats and attacks.
This is exciting news for many reasons, including that QRadar continues to define the frontier of security intelligence, offering new capabilities for instant search, massive scalability and intelligent data policy management. In addition, QRadar will tap security analytics and threat intelligence from more than 400 sources. IBM X-Force, one of the world’s largest repositories of threat and vulnerability insights, provides an intelligence feed to QRadar based on the real-time monitoring of 13 billion security events per day. This insight can flag behavior that may be associated with new and emerging threats, all in real-time. Whether it’s the newest strain of malware or an advanced exploit technique first being seen halfway around the world, QRadar will monitor this intelligence and correlate it with what’s happening in your own environment, large or small.
To provide one example of how we’re bridging silos, consider the following scenario: An external attacker (or even an insider) compromises a number of user accounts, seeking access to a sensitive corporate database. After failing to login to the database with the first four accounts, he successfully logs in with the fifth account (a privileged user), downloads the organization’s customer list and emails it from the compromised account to a suspicious domain. Most organizations would struggle to piece together these actions into a cohesive picture of the attack and the impact, and almost certainly would not see it in real-time.
But with the combination of QRadar, IBM Guardium Database Security and IBM X-Force threat intelligence, the attack is detected and impact identified immediately. Guardium provides the continuous database monitoring and sends alerts to QRadar SIEM, which enriches the view of the incident with network flows and logs it has collected. It then observes activity involving an IP address (the receiving domain) that IBM X-Force has identified as suspicious. QRadar QFlow also provides insight into the content actually sent by the attacker, via deep packet inspection. And if the organization wanted to apply automated remediation to prevent the data exfiltration, it could even use QRadar to have the perimeter security devices block the data transmission. In sum, the incident is detected in real-time and the impact understood – or even prevented.
We view this as an important step forward in bridging security silos and applying greater intelligence and automation. What do you think?
For more information on today’s announcement, please see the press release here.
Posted by Melissa Stevens in Cybersecurity, Log Management, Security Intelligence, SIEM
This morning I read an article on Computing.co.uk that asked, “How can organizations be prepared for cyber security incidents they can’t predict?”
I think this is a question a lot of CISOs ask themselves – and certainly, they should be. In the recent Data Protection & Breach Readiness Guide, published this January by the Online Trust Association (OTA), a key take away is “If a business collects data it will experience a data loss incident at some point.” That said, maybe you can’t predict how you will be breached, but it’s reasonable to assume that you will. This is the first step in a comprehensive network security strategy.
There are plenty of tools out there that can help analyze network configurations and identify the vulnerabilities that are creating entry points. You can run simulations and tests, hire white-hat hackers to break into your systems, and monitor network activity until you’re blue in the face. There are some breaches you can prevent, and there are some that you will never see coming.
The key is to have capabilities that will help you respond to the breach and limit your organization’s exposure as quickly as possible. How many horror stories have we heard over the past year of high profile breaches that lasted for months before they were spotted? How long did it take to find out what really happened? When breached, you immediately want to know who, what, when and how, so you can brief your constituents (customers, executives, board members, etc) about what has occurred along with your remediation plan. This is where Security Intelligence comes in.
A Security Intelligence solution like QRadar can help keep you safe. It can be a part of your walled fortress, collecting information from across your entire infrastructure and alerting you when anomalies occur or improper configurations create new vulnerabilities. But more importantly, it can act as a stop gap, the tool you use to help stop the ship from sinking. Knowing immediately that you have been breached and what has been compromised; knowing how the breach occurred and where it originated from; seeing where the information has been distributed, in real-time; all of this knowledge can help you respond and stop the threat from spreading further. And since it’s only a matter of time before a breach occurs, better response preparation could be the competitive advantage you’re looking for.
For more information about breach response best practices, please read Five Ways to Prepare for Your Data Breach. As always, share your comments and questions below!
Posted by Todd Harris in Retail, Security Intelligence, SIEM
Welcome to the final part of our “customer use perspective” series, where one of our biggest retail customers talks about using network flow data to add a whole new dimension to their security posture. When we talk about network flow, it’s not limited to the typical formats – i.e. NetFlow, J-Flow and sFlow. While standard network flow is useful for establishing a general understanding of network conversations, it doesn’t provide deep visibility into network activity beyond basic network characteristics such as IP address and protocol transport.
To help fill this gap, there is QRadar QFlow, which provides Layer 7 visibility (application layer) and stateful classification of applications and protocols such as voice over IP (VoIP), social media, ERP, database, and thousands of other protocols and applications. While this information is powerful on its own, it becomes extremely useful when correlated with network and security events as part of a SIEM and Log Management solution.
Watch the clip to hear how our customer is using QRadar QFlow in their environment:
What can you do with QRadar QFlow?
- Detect zero-day threats through traffic profiling
- Comply with policy and regulatory mandates via deep analysis of application data and protocols
- Monitor social media traffic
- Advanced incident analysis via correlation of flow and event data
- Continuous profiling of assets
Learn more about QRadar QFlow and be sure to listen to the full webcast to hear more about how our customer is utilizing the QRadar Security Intelligence Platform to help meet compliance regulations, centralize logs, correlate network events, and detect anomalies that other solutions might miss.
Related: 80,000 Credit Cards Hacked (Why Authentication Alone is Insufficient)
Posted by Todd Harris in Retail, Security Intelligence, SIEM
Welcome to the fourth installment of our latest “customer use perspective” series, featuring a large Q1 Labs customer who is a well known luxury brand in the retail industry. If you missed the first three, you can find them all here.
In this part of the series, our customer covers a few tips, tricks, and best practices when rolling out QRadar.
Below are a few of the high-level topics addressed by our customer, and a synopsis of their thoughts on each.
Deployment
After you install the appliances, progress through interactive startup menu, setup IP addresses, DNS entries, etc., have your network hierarchy ready to go before roll-out for a quicker deployment.
Functionality
Specific to reporting, there are a number of preset templates. However, it’s simple to create a report on any type of data you want to focus on.
Support
Tech support will help you tweak and tune your installation, whether it’s via phone and/or via a secure tunnel. Our customer greatly appreciated the secure tunneling to get their request completed as fast as possible.
The last part of this series will wrap up with a focus on network flow, which can vastly improve your ability to detect anomalies. Until then, watch the first three videos in the series and check out the full on-demand webinar.
Posted by John Burnham in Cybersecurity, In the Industry, SIEM
This is the traditional time of year for Predictions of all sorts. One of my favorites was from the late, great George Carlin, AKA “The Hippy Dippy Weatherman“: “Today’s weather forecast is for gradual brightening in the morning, increasing throughout the day, with gradual darkening through the evening into late night, when the pattern repeats itself.”
In security, it could go something like: “The forecast is for continued escalation of targeted attacks by nation states, professionals, insiders and hacktivists. Occupy Data today announced…”
Here are a few excerpts from real forecasts.
ABC News: “Big companies and government agencies likely will have to rethink their approach to tech security in the wake of the disbanding of hacktivist group LulzSec, security analysts say. Spending on information technology security already is growing faster than spending on general technology. And corporate and government tech buyers will have to dole out even more to defend against profit-minded cyber thieves and spies looking to swipe state and corporate secrets. In fact, global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today, according to Lawrence Pingree, research director for Gartner.”
And the professional prognosticators forecast increased investment in tools, solutions, services and systems as a result:
Canalys ended 2011 by announcing the results of its latest enterprise security forecast, indicating that total investment is expected to grow 8.7% year-on-year in 2012 to reach a market value of $22.9 billion worldwide.
- Eighteen percent of respondents say they are not PCI-compliant, even though the data suggests they should be.
- Thirty-three percent of respondents are expecting their overall IT budgets to increase this year.
- Spending on personnel has decreased by 3% this year, which will result in higher expectations by organizations for better integration and automation from their technology purchases.
- In this year’s survey, IT security-specific budget allocations have climbed by 4% to a mean of 10.52% of the total IT budget.
We see all of this as evidence that technologies such as data loss prevention (DLP), device control, database activity monitoring (DAM), security information and event management (SIEM) and IT governance, risk and compliance management (GRCM) tools stand poised for strong growth as respondents have indicated they rank them as priorities.
The numbers might be various, but they are all big and getting bigger.
Share your predictions in the comments below.
The latest on Cyber Security