Posts Tagged ‘Analysis’
There’s nothing more gratifying than getting positive feedback from the people whom you wake up every day to serve – your customers. That’s why we were thrilled when a new InformationWeek customer survey on the SIEM market was just published, with the headline “IT Rates IBM’s Q1 Labs Top SIEM Performer”. To be clear, this was not a “sponsored vendor test”, but was conducted independently of the vendors named.
Reflecting input from 300+ SIEM users in North America, this was a wide-ranging survey covering product capabilities, vendor support, cost of ownership and more. (Download the full report here.) If this were the Oscars, we’d be talking about a virtual sweep for Q1 Labs. Thank you, North America!
The report is overflowing with SIEM product and market insight, so let me highlight some of the more interesting findings.
Let’s get right to it: “Users and evaluators of IBM/Q1 Labs rated it [the] leader for overall performance.” As the report explains, these performance ratings are based on a set of 10 general criteria, including product reliability, product performance, flexibility, operation cost and many others.
Q1 Labs was also the highest rated vendor for product features, reflecting outstanding performance across 11 distinct categories. These include event correlation, real-time analysis for alerts, root cause analysis and investigation of archived logs, operational dashboard, and seven other sets of capabilities.
Who’s Who in SIEM
Of the 17 vendors InformationWeek asked users about, only 8 vendors received a sufficient number of responses (10% or more of total respondents) to be included in the results. The other 9 were dropped from consideration.
Vendors notably failing to make the cut include EMC/RSA, a legacy first-generation SIEM vendor, and McAfee/NitroSecurity, which claims to be an up-and-comer but only generated responses from a paltry 2% of customers.
Top Evaluation Criteria
The top three evaluation criteria according to customers are product reliability, product performance, and flexibility. In other words: Does the product deliver robust capabilities; can it be tailored for my specific needs; and can I rely on it?
Customers rated Q1 Labs as #1 in all three of these critical dimensions. QRadar’s flexibility is something in which we take particular pride, because many SIEM users say flexibility has more impact on their overall experience than anything else. They care about practical questions such as:
- How easily can you create or change a correlation rule or a report, to meet your particular business needs?
- How quickly can you adjust a log source integration module for an uncommon data source? (Most SIEM vendors would discourage users from even trying this themselves. We do not.)
- Can you easily upgrade a log management product to a full SIEM product – without buying new hardware, migrating to a completely different database, changing your architecture, or paying for expensive professional services?
- Is it possible to expand the scale of your deployment linearly by simply deploying more appliances – or do you need to re-architect the whole solution once you reach a certain scale (at considerable expense)?
We were proud that customers rated Q1 Labs higher than any other vendor on “Flexibility in meeting your organization’s needs.” This aspect of SIEM really matters.
Survey respondents also commented on the total cost of ownership for SIEM. While we take pride in QRadar’s advanced capabilities, our commitment to Intelligence, Integration and Automation isn’t just about building the most powerful analytics. It’s also about finding ways to make life easier for security and risk management professionals, which translates into lower operational costs.
We were grateful to see this reflected in the InformationWeek survey, where a broad cross-section of SIEM users rated Q1 Labs very highly on both acquisition cost and operation cost (meaning: offering an affordable cost).
Our decade-plus work to understand customers’ challenges with SIEM and related technologies has led to several innovations that simplify security operations:
- The unified architecture of the QRadar Security Intelligence Platform greatly enhances ease of use and lowers the total cost of ownership. By offering log management, SIEM, behavioral profiling & anomaly detection, network flow collection & analytics, and vulnerability & security configuration management in one modular platform, we follow the KISS Principle (Keep It Simple, Security pros!). Users don’t have to struggle with different user interfaces, databases, data taxonomies or administration requirements – weaknesses of many other SIEM products, especially legacy first-generation ones.
- Capabilities like automated discovery of log sources, applications and assets, and auto-grouping of assets, save users time upfront and on an ongoing basis.
- Embedded security knowledge in the form of thousands of pre-defined rules, reports and searches that help users share insight faster with their colleagues and auditors.
The next most important criterion for customers, according to the survey, is quality of postsales support. Again, IBM/Q1 Labs was honored with the highest rating of any vendor. Q1 Labs has always held a deep commitment to client success, and frankly our customer support team are some of the most capable and dedicated professionals you’ll ever work with. This note from a Q1 Labs customer to a Q1 Labs business partner crossed my inbox just last week, and adds a personal perspective to the survey discussion:
“Just want to send you a special thanks for recommending QRadar SIEM. It’s much better than [competitor product] which we had for years. It gives us a lot more visibility into our network and security environment. It has even accomplished several of our custom requirements since it was deployed just a month ago. In my own experience, the Q1 Labs support is very knowledgeable too, easy to get a hold of, always trying to help, and very fast to escalate to the developers if the support people don’t have the solution.”
In my next post, I’ll share more insights from the InformationWeek customer survey, including detailed findings about the vendors’ product features and customers’ reasons for switching vendors. Stay tuned!
PS: See related post about why IBM/Q1 Labs was chosen as a Leader in the most recent Gartner Magic Quadrant for SIEM.
I recently returned from the Gartner Security Summit in London, an annual affair. While it was moved back to the stodgy Hotel Lancaster (it was in a shiny new hotel on the Thames last year), it was highly attended and very, very active. Since last year, the news has been all about prominently disclosed attacks, internal and external, so the over-arching theme was sophisticated attacks. That awareness of risk and threat is solidly at the BoD level with Gartner clients, and the edict from on high: get our house in order, as it is only a matter of time and in fact we probably have already been breached to some extent.
Enterprise Security Intelligence is a pervasive theme with Gartner Security and Risk Management teams, and so it was at the event as well. But similar to the Washington DC event this past summer, there were far more sessions on “how to…” define your needs relative to your unique environment. And compliance has become table stakes, checklist tactics rather than an end in itself. And of course this prioritization is spot on: compliance does not equal a measurable, defensible security and risk posture.
One of the best sessions was on risks associated with cloud-sourced services. The content was pragmatic, focused on specifics, such as:
–Diverse tenancy is a new world, versus controlled environment. Your competitors could be using same cloud platform, for example.
–Public access: where are the controls?
–Economic Denial of Service: newly coined term meaning a targeted attack designed to spin up gobs of storage = gobs of cost, billed to you!
Some bits of note (can you spot my Brit vernacular?):
–Security monitoring is essential for any use cases within cloud services, be they hosted, on-prem, or MSSP-driven
–Cloud was primarily Public Cloud, versus virtual datacenter in the sessions I attended
–In one session on Security Monitoring, a definition of Security Intelligence was put forth:
- data is gathered: more is better
- reasoning is applied, in the form of analytics
- actionable information drives a decision
Pretty high level in my view, but maybe less is more.
I was explaining our correlation and analytics engine the other day and it reminded me that much of the data analysis that we perform is modeled on the judicial system. In fact, we originally called our correlation capability the Judicial Systems Logic and still today we call the analysis process that runs within our product, “The Magistrate”. Now in the early days, certain analysts bloviated that this analogy was a little contrived, so over time we dropped it….shame on us; I still think it makes all sorts of sense, particularly as more and more people realize the need for greater security intelligence in their operation.
When customers feed application, network, identity, vulnerability and security data into QRadar, the Magistrate is weighing all the different evidence from the various product witnesses. The witness and associated evidence is judged according to its credibility, severity and relevance and all of these weights participate in the creation and observation of an offense. In this virtual court house, an offense is an attack against a network or infrastructure and each offense has a different magnitude. The magnitude, represented on a scale of 0-10, is the result of combining the three different measurements as they apply to monitored information.
- Credibility — Credibility indicates the integrity or validity of evidence as determined by the credibility rating from devices reporting the individual security events. The credibility can increase as multiple sources report the same event
- Severity — Severity indicates the amount of threat an attacker poses in relation to how prepared the target is for the attack
- Relevance — Relevance determines the significance of an event or offense in terms of how the target asset has been valued within the network
Our product, deployed at 1800 customers worldwide, is ultimately helping to deliver judgements on activity surfaced from those customer environments. The judgements may be driven mostly by out-of-the-box content Q1 Labs delivers, or through customized rules (or rulings ) from the customer and its security partners.
You tell me: isn’t the judicial system analogy easier to explain to your CEO than “statistical, anomaly, rules-based, flux- capacitor driven correlation”?
(btw, we do all of that too….well, not the flux capacitor bit!)
As with many things in life – history, politics, even Google – there are often questions we want to ask, which for different reasons we never get a chance to do so. Security Intelligence is no exception, stimulating a range of questions that beg to be answered today.
In this multi-post series, we will look at the most common questions surrounding Security Intelligence. This emerging marketplace in IT security integrates and extends familiar solution categories such as log management, security information and event management (SIEM), network behavior anomaly detection (NBAD), risk and compliance management, and network forensics.
What distinguishes Security Intelligence from these point capabilities is a holistic approach to viewing and managing the security and risk posture of an organization. Not just after an exploit, but also before an exploit occurs. Not just a partial view of network activity, but complete 360-degree visibility. And not just a means to record massive data, but a means to gain critical insight and take proactive measures based on it.
With security breaches and insider fraud rampant, it’s no surprise that security is among the greatest concerns for government bodies, IT teams, and business executives today. And for good reason: not only are the threats more varied than ever, but the intent of today’s threats has changed – from targets of opportunity to targets of choice. This means there is nowhere to hide, if – or should I say when – your organization gets hacked.
In this blog series, we will provide clear answers to practical questions about Security Intelligence:
- What is Security Intelligence and why does it matter today?
- How do next-generation Security Intelligence solutions differ from first-generation point products?
- How much staffing and expertise do I need to use Security Intelligence solutions?
- What benefits do organizations achieve from Security Intelligence deployments?
- How quickly do organizations realize ROI on their Security Intelligence deployments?
- What practical steps can I take to get started with Security Intelligence?
This series will give you direct answers to cut through the noise, and real-world customer examples that show what people are doing today to enhance their security posture and exceed compliance requirements.
Join us regularly in this tour, and don’t be afraid to ask additional questions that you always wanted to know about Security Intelligence! Don’t miss a post in the series; subscribe here with your favorite RSS reader today.
Posted by Iven Connary in Cybersecurity
The first step a smart cyber-criminal takes is to turn off logging at the host, blinding the SOC. But you can’t turn off the network. Network activity monitoring is a security fundamental that some organizations do without, at their peril. Effective analysis of network session activity, known as flow data to router jockeys, involves not just the collection of data, but also the ability to correlate that data against log events and other security activity across your enterprise.
The first question to consider is how deep to dive into the activity crossing your networks? Are you limited to Layer 4? Are you blind to the bad guys in your virtual infrastructure? If so, you don’t have the complete level of visibility needed to fully secure and monitor your environment. Without application -layer intelligence, you aren’t protected against more sophisticated attacks, and internal attacks such as fraud and theft of IP.
For instance, bots have evolved to keep pace with security countermeasures. They hide in seemingly harmless protocols, such as HTTP, and use encryption to evade IPS and firewall detection. Application-layer visibility provides the intelligence to distinguish botnet command and control activity from otherwise innocuous web traffic, and can even distinguish between valid encrypted data and that meant to obfuscate the application. Without application-layer visibility, you can’t comprehensively detect, respond to, and investigate policy violations, exploits, and intrusions.
But you are not done yet. Now that you have an accurate picture of your network activity, you need to be able to correlate it, analyze it, and, if there is a policy violation or intrusion, generate an alert. To effectively do this you must have:
- Native flow analysis, integrated deeply into the solution so it understands the value of network telemetry vs. log events
- Correlation of network data in real time, not just as post-incident forensic data
- Retention of application layer content retention; converting flows to logs discards critical forensics information
Leveraging network activity delivers total security intelligence (and provides intelligence beyond simple log collection) and results in the improved ability to detect and remediate threats, enforce network policies, and minimize risk to mission critical IT systems. If you can’t get to Layer 7 and aren’t able to collect, correlate and analyze that data, you really don’t have network activity monitoring support.