Posts Tagged ‘IBM’
Mining Big Data for Better Security Intelligence
Today, IBM Security Systems announced a “Breakthrough with Combination of Security Intelligence and Big Data – Data Analytics Helps Organizations Hunt for Cyber Attacks.” By combining the worlds of business and security intelligence, organizations have the ability to analyze data in new ways resulting in the ability to detect threats that they would have previously missed and react faster with more accurate and timely results. Sandy Bird, CTO for IBM Security Systems, wrote an interesting blog post on this topic where he talks about how the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Excerpt from the IBM Smarter Planet Blog:
Over the years the game of cat and mouse between attackers and people tasked with defending networks against their advances has evolved to become increasingly more complex. Every new advance in defensive technologies has forced attackers to adopt new tactics, and every new attack technique has produced a new security start-up. The result of this game has been that some of the most diligent and advanced security organizations in the world have deployed over 60 different security products, products that infrequently communicate with one another. Unfortunately, this has not proven a sustainable long-term approach to the security challenge as attacks have become more complicated, difficult to detect and even far reaching. Realistically, we can’t rely on any single product to be successful 100% of the time. The question is, if we understand the realities associated with perfection, why do we continue to embrace strategies that seem to rely on products being successful in isolation?
We need a different, foundational approach to the security challenges associated with sophisticated attackers….the security strategy of the future will be built on the underlying premise that every new source of data is a blessing and not a curse.
Read Sandy’s full post on the IBM Smarter Planet Blog for answers to questions like “How to identify and combine those subtle data indicators of an attack?” and “Does a security strategy need to change just because another piece was added to the puzzle?”
If you are interested in learning more about IBM Security Intelligence for Big Data be sure to check out:
VIDEO The Role Big Data Plays in Solving Complex Security Problems
INFOGRAPHIC on A Big Data Approach to Security Intelligence
IBM Security Systems website: For access to more product information, white papers and more
If you want to skate to where the puck is going in security today, it’s best to think big – as in Big Data. To detect stealthy breaches by advanced adversaries, you need to analyze a greater volume and variety of data, at a greater velocity – the so-called “3 V’s” of Big Data. Big Data analytics is as critical to security as to any other field, because it holds the promise of analyzing data sets too large to process in the past – in other words, solving previously unsolvable problems. In this way, it can help discover insights – such as security compromises or malicious behavior – that would have otherwise lay hidden.
The best way to obtain security analytics at Big Data scale is with a purpose-built security intelligence architecture that can scale to meet your needs, unpredictable as they might be. You want a solution that can expand as your business grows, as you analyze new types of security data, and as your security process maturity increases. One requiring minimal administration but offering maximum flexibility. In other words, a security intelligence cloud.
Just what is a security intelligence cloud? (No, it’s not a cloud-delivered security intelligence solution.)
It starts with the building blocks of security intelligence:
- Integrated capabilities for SIEM, log management, behavioral anomaly detection, configuration & vulnerability management, and forensics
- Via a pre-packaged and scalable solution, just as you would expect from a SaaS application
This contrasts with the inflexible architectures and non-scalable databases of legacy security products.
Let’s consider the most appealing characteristics of cloud computing and their role in a Security Intelligence (SI) Cloud:
- Scalability and elasticity – This is arguably the most central aspect of cloud computing, and the security intelligence cloud in particular. Through an architecture that supports high-speed data collection and real-time correlation, using a flexible and distributed database, an SI cloud not only performs security analytics at Big Data scale but also adjusts on-demand to changing needs.
- Location independence – A security intelligence cloud enables you to capture data from anywhere in your network, correlate it globally, and make it available instantaneously to users worldwide. By using a federated, distributed data architecture that abstracts physical data stores, an SI cloud eliminates underlying data management complexity – just as an IaaS cloud solution abstracts the physical locations and capacities of server hardware from the IaaS customer.
- Agility – An essential element of the cloud model, agility is critical for security intelligence deployments because the volume and variety of data monitored will grow over time, and you might need to change the types or locations of data collection sensors across your network.
- Cost structure – Whether you deploy your security intelligence cloud on a (virtualized) cloud platform might determine how much you end up substituting operational for capital expense, but either way, an SI cloud should provide a cost-effective and growth-friendly solution that doesn’t require large expenditures for incremental volume increases.
- Maintenance – An SI cloud can offer further benefit through the use of appliances that are pre-configured and require minimal infrastructure management. This allows users to focus on the task at hand: detecting the risks that matter and remediating them appropriately.
- Reliability – A modern SI cloud offers native, integrated high availability and data redundancy to enhance overall reliability, like public cloud services.
Just as server virtualization is a foundational technology for cloud computing, a security intelligence cloud can leverage virtualization for cost and agility benefits, as warranted by the organization’s preferences, existing virtual infrastructure, and provisioning speed requirements. It can run on-premise, off-premise or in a hybrid of both. While most customers find the provisioning of hardware appliances fast enough, virtual appliances provide an excellent option when on-demand capacity is needed in minutes.
What’s most important, though, is for the SI cloud to provide a highly elastic data management layer, so that actual system capacity can increase proportionately with storage and computing, rather than get bottlenecked due to architectural constraints.
Collectively, these capabilities enable a security intelligence cloud to be an agile platform for big data security analytics. And we believe QRadar provides the ideal security intelligence cloud, because it fits the requirements above so well.
Major enterprises are using QRadar today to collect and correlate billions of events and network flows per day, in deployments that span multiple locations and connect previously siloed operational groups.
- A Fortune 100 telecommunications provider collects and monitors one million events per second – more than 85 billion events per day – to ensure security and regulatory compliance across its massive customer operations.
- A global energy company uses QRadar to ensure NERC and PCI-DSS compliance (monitoring 6 million card swipes per day) while correlating 2 billion events per day. It performs real-time analysis to determine the 25-50 priority incidents that matter each day – for a roughly 40-million-to-one data reduction ratio.
With the recent release of QRadar 7.1, there are even more ways to use QRadar in the cloud, and to manage big data security analytics. For example, Index Management enables higher performance and better use of storage, through advanced reporting and tuning capabilities. QRadar is also complemented by several recently released IBM Security products that are making cloud computing safer and more effective.
For a related perspective, I also recommend my colleague Chris Poulin‘s recent paper which discusses how an organization’s security or risk management group can use security intelligence as an internal cloud service to support groups such as firewall management, systems management and network management.
To close with another of my favorite Gretzky quotes, you miss 100 percent of the shots you don’t take! Don’t miss your chance to learn what a modern security intelligence solution can do for your business. Take the next step in our QRadar Resource Center.
With the release of QRadar Security Intelligence Platform 7.1, we’re excited to share with you a host of new advances to our family of Security Intelligence products – including QRadar SIEM, QRadar Log Manager and QRadar Risk Manager. These innovations are making it easier for users to leverage cloud investments, simplify management, collect and manage data more flexibly, and replicate or extend QRadar deployments. As a result, QRadar users will receive even greater insight and visibility, further reduce manual work and gain higher system performance. Let’s dive in!
Leverage Cloud Investments
We know many of you have built significant private and public cloud infrastructures and are looking for new virtual workloads to deploy in the cloud. With QRadar 7.1 you now have an additional type of appliance – the Event Collector – that you can deploy virtually, providing more ways to use your cloud environment to gain richer security intelligence.
Event collectors – which come in both virtual and hardware appliance form – provide continuous event logging capabilities, even when network connectivity is unreliable. They collect event logs and forward them to an event processor or all-in-one appliance for correlation, analysis and long-term storage. If network connectivity is lost, they can queue events in a storage buffer and then forward them upon re-connecting. (We call this “store and forward.”) In addition to serving locations with intermittent network connections (like naval vessels), event collectors are well-suited for collecting logs in distributed locations with low to moderate event volumes, such as retail stores and satellite offices. A large retailer, for example, might have hundreds of stores in which they want to collect event data, but the data generated in each location is modest enough that event processors (with terabytes of storage per appliance) aren’t required.
With this release, you now have access to a full complement of virtual appliances – console & all-in-one, event processor, flow processor, VFlow collector, and event collector – to best utilize your current and future cloud infrastructures. Even better, appliances can be mixed and matched among virtual appliance, hardware appliance and traditional software form factors, to meet your specific needs.
Simplify Management – Especially for Big Data
As we and others like Scott Crawford and Jon Oltsik have written, information security is truly a big data analytics challenge today. With its heritage in network flow collection and anomaly detection, QRadar has been collecting and correlating massive data sets in real-time since before big data became a white-hot phenomenon. Critical infrastructure and tier-one telecommunications providers, banks, and energy and utility companies are using QRadar to correlate as many as one million events per second (EPS) in real-time, thanks to QRadar’s purpose-built, embedded Ariel database. But with such massive data volumes come management challenges.
In response, we developed new Index Management capabilities in QRadar 7.1 that provide more refined data management and ultimately better performance. As the volume of stored data explodes, challenges inherent in querying big data become more pronounced – and so do the benefits of optimizing indexes for the queries most often run. QRadar’s default search indexes have always followed the 80/20 rule, providing out-of-the-box indexing for the most commonly used properties. Now we’re taking indexing a step further, enabling deep customization and tuning.
With QRadar 7.1, users have granular control over the creation of search indexes that enable speedy querying. While the fixed database indexing configuration that QRadar has historically provided works well for most scenarios, some clients would benefit from additional or different indexes. That’s why we added the ability to customize the indexing scheme for the event and flow database – so users can drop existing indexes to free up system resources or create new indexes to optimize the system for their specific needs.
QRadar also provides invaluable visibility into the use of indexes – with statistical reporting on the frequency of searches involving each property, how often each property’s index is used, and the size of each index – to help inform indexing decisions. This enables more efficient storage utilization and superior search performance.
Do you suspect one property is getting searched a lot? Get the data.
Do you wonder how big an index has grown? Find out.
Want to start indexing a custom property and see how often that index is used? No problem.
Another new capability that simplifies management is QRadar Risk Manager’s Enhanced Policy Monitoring. Risk Manager excels at monitoring network configurations and system vulnerabilities for potential security and compliance violations, and has always alerted when a policy is violated. Now it takes monitoring a step further with the ability to automatically notify when a policy is passed, providing positive evidence of compliance with external regulations and internal corporate policies. For example, you might want a positive notification when the percent of regulatory assets with Internet exposure vulnerabilities is within policy, or when the percent of regulatory assets with client side vulnerabilities that have communicated with the Internet is within policy. Now you can gain affirmative proof of such compliance.
Collect and Manage Data More Flexibly
QRadar 7.1 also offers new capabilities for collecting and managing data with greater flexibility. These include WinCollect – a versatile and scalable new QRadar capability for Windows event collection. WinCollect provides a superior and agentless means for collecting events from large numbers of systems. Installed on a Windows server of the customer’s choice, WinCollect can use the Windows Event Log API to pull events from target systems and then forward them to QRadar, or use Windows event forwarding and allow target systems to automatically push events to it and then forward them to QRadar. WinCollect complements existing collection mechanisms, including Q1 Labs’ own ALE solution, third-party approaches, and native Windows Server capabilities. In a subsequent blog post, we’ll explain the advantages of each approach and the value of having a broad set of choices.
Event collectors (described earlier) also help simplify data collection and management, in addition to leveraging cloud infrastructure and enabling event collection under unreliable connectivity. To begin with, their ability to “store and forward” data not only applies when a network connection is lost; it can also be used proactively for policy-based event forwarding. In some cases, a remote location might have reliable but limited network bandwidth, and you might want to limit the collector’s use of bandwidth to specific (less busy) times. With QRadar 7.1, you can limit forwarding by bandwidth utilization (e.g., never consume >1MB/second), and/or set an hourly, daily or weekly forwarding schedule. In addition, event collectors can filter event data before it is forwarded for correlation, reporting and long-term storage.
Additionally, we have released more than a dozen new product integrations (device support modules) that enable users to normalize and analyze even more types of security telemetry. These include IBM Security zSecure Audit, which allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar (in addition to the native z/OS logs that QRadar already collects). We have also completed integrations with many third-party products, such as Verdasys Digital Guardian, AppSecInc DbProtect and Trend Micro Deep Discovery.
Build Extended Solutions and Replicate Existing Deployments
Lastly, we are enabling clients to build extended security intelligence solutions and replicate existing deployments. With Security Intelligence Content Importing/Exporting, you can export correlation rules, building blocks, reference sets, report templates, dashboard widgets and more from a QRadar system to an external device, and subsequently import them into another QRadar system. This enables quick deployment of a new QRadar system based on an existing system or template, as well as sharing of security intelligence content across systems.
We see this being used in several ways:
- Enabling clients to copy custom-built security intelligence content from one deployment to another (across business units or geographies)
- Enabling clients to copy content from a development or test environment to a production system
- Enabling solution providers and system integrators to build unique Security Intelligence intellectual property that they can distribute to their customers.
While QRadar already delivers thousands of rules, report templates, dashboard widgets and saved searches out-of-the-box, many business partners have additional expertise to offer to clients, and have been eagerly awaiting this capability.
To Learn More
With this hefty release completed, we’re gearing up to bring some fantastic new innovations to market in 2013. In the meantime, please try QRadar 7.1 for yourself and let us know what you think. We also encourage you to learn about the other IBM Security product releases just announced, which include capabilities for securing big data environments (including IBM InfoSphere BigInsights and Cloudera), risk-based access control for mobile users in BYOD environments, and privileged identity management.
To read more about using SIEM for targeted attack detection (APT’s), you can also download this Gartner report. Or see how organizations are using network flow analytics for better threat detection and network visibility with this Q1 Labs paper. Best wishes in your security journey!
Advanced Persistent Threats (APTs), or Advanced Targeted Threats as Gartner calls them, are now top of mind with security professionals, C-level executives and Boards of Directors.
All brands – as well as major events such as the London Olympics — are now being targeted by ever increasingly sophisticated attackers and techniques, whether the intent is to steal corporate intellectual property (Lockheed, RSA), disrupt websites to bring attention to a particular cause (FBI, MPAA), or steal customer data (LinkedIn, Epsilon, etc.).
Regarding APTs, Charles Kolodgy, VP of Security at IDC, was recently quoted in this article from Network World:
IBM Tuesday introduced what it’s calling a “next generation” intrusion-prevention system (IPS), an offering that not only is designed to stifle network-based attacks, but adds application-level controls and URL filtering capabilities typically found in separate products such as Web security gateways … With the XGS 5000, IBM wants to maximize its influence with IPS buyers (IBM ranks only behind Cisco with 13.2% of the $1.88 billion market, according to IDC) …
IDC security research analyst Charles Kolodgy says the IBM XGS 5000 does represent a new kind of IPS-based product that “improves network, user, and application awareness” and “vastly improves an IPS’s ability to provide full network protection, especially trying to uncover custom malware and stealth attacks perpetrated by advanced persistent threats.” APT is the term use to describe stealthy attacks to try and steal sensitive corporate data.
Although the term “next-generation IPS” is starting to be bandied about, IDC is still pondering the usefulness of this phrase or whether a new category entirely should be established that “goes beyond either firewall or IPS.”
“The uniqueness isn’t so much in the application layer and URL [visibility], a lot of products have that, but it’s in the ability to set up security at the user level (like the next-generation firewall), correlate that information (in this case with QRadar), and utilize cloud-based threat intelligence to uncover malicious websites and files,” Kolodgy explains.
The article continues to discuss APTs: Indeed, IBM says the appliance’s integration with IBM’s Advanced Threat Protection Platform, which utilizes anomaly detection and event correlation capabilities, enables users to better address more complex attacks such as Advanced Persistent Threats (APTs).
My point for this post is to highlight our most recent offering at IBM Security Systems, the Network Security Protection Platform, and specifically how it may indeed be ushering in what I call Security Intelligence 2.0.
Perhaps this graphic represents the foundation of Security Intelligence 2.0:
What the heck, Q1 Labs put “Security Intelligence” on the map as a new term years ago, in the context of SIEM + Log Management + Configuration & Vulnerability Management + Behavior Anomaly Detection + Deep Packet Inspection. Do you see why we called THAT Security Intelligence?
Now with our Next-Gen IPS being tightly coupled with other related components – as in XGS + QRadar + Anomaly Detection + X-Force real-time threat intelligence feeds — I assert we have raised the bar. And if some leading industry influencers actually said we did, even better. Fact is, when Q1 Labs started talking about Security Intelligence we did not think of it as a “category” but as a better way for customers to both proactively and defensively address what are now commonly called APTs (sorry Gartner).
In other words, it’s not about defending against the latest advanced threats with a new “box” that has more bells and whistles – it’s about tying a range of information sources together with analytics to quickly identify behavioral anomalies, and minimizing false positives so you can quickly remediate the most important threats.
We’ve written extensively in this blog about what Security Intelligence means in concept and practice. As a new solution category, it benefits from wide discussion and exploration. My colleague Chris Poulin recently shared Security Intelligence insights from a client and partner panel he moderated at IBM Pulse 2012, where Security Intelligence was a pervasive theme. In this post, I’ll share a few more data points I picked up from clients at Pulse who discussed what Security Intelligence means and the business value they’re obtaining from it.
One panel discussion included the information security executive of a major media company, the global head of IT security at a global manufacturer, and IBM’s own Vice President of IT Risk, Kris Lovejoy.
The opening question – “What is Security Intelligence?” – elicited some interesting views:
- The ability to learn something germane and relevant at the time you need to make a decision. (Media co. exec)
- It’s less about the technology and more about the destination. Understanding the different threats, instrumenting our architecture in a way that is consumable and actionable. (Lovejoy)
And my personal favorite:
- Knowing what the hell is going on! (Manufacturing co. exec)
The last comment really speaks to the pain experienced by security, risk and IT executives who are wrestling with an explosion of threats, limited visibility and information silos that are tough to bridge. (Not to mention fixed/shrinking budgets.) Who doesn’t worry about what’s taking place out of sight in their organization?
Kris Lovejoy also shared a deeper insight about the impact of Security Intelligence:
Viewing Security Intelligence as a destination brings along a new way of thinking. Security Intelligence can be an effective marketing tool internally. You start to think about security differently and strategically.
This is powerful. Security Intelligence is not just a set of technologies, processes, or even the insights resulting from them. It’s also an approach – one focused on up-leveling the security and compliance conversation, focusing on end goals (especially stretch goals), and delivering greater value to both IT and the Line of Business.
An answer to the next question – “How do you justify security investments?” – also emphasized the need to tie security and risk initiatives back to business value:
Focus on business outcomes that are made possible through the investments. (Manufacturing co. exec)
In other words, what supply chain initiatives are you enabling through careful security controls? What cloud services are you making possible through policies, controls and monitoring? And ideally, are you leveraging your security investments to gain tangible insights that drive revenue opportunities?
One client who presented at Pulse is doing just that, leveraging his Security Intelligence solution to gain Business Intelligence. This security executive from a financial services firm is not only using Security Intelligence to detect fraud (as Chris Poulin describes), but also to pinpoint commercial customers whose business has started to decline. Because his Security Intelligence solution is easily customizable, he uses it to identify falling sales volumes as easily as fast-rising ones. They feed this information to their Sales team in real-time, who reach out to those customers and can often reverse the negative trend, making a meaningful impact on the company’s bottom line.
In fact, the business insights produced by the Security Intelligence solution are so valuable that this company’s executive team specifically praised the IT Security organization’s work during one of the company’s recent earnings conference calls. Imagine becoming a hero to your CEO.
Last, I wanted to share the panelists’ perspectives on where the IT security and risk field is headed. In response to the question “What will be different about security in five years?”, they shared the following:
- We won’t need so much audit preparation effort. The information will just be there, accessible. (Media co. exec)
- The bulk of the organization will focus on risk management and business processes, not compliance. (Lovejoy)
Again, note the themes of information visibility and better connecting IT Security with the Line of Business.
To sum up what I heard from clients at Pulse: Security and risk executives are pursuing Security Intelligence initiatives to raise enterprise-wide visibility, gain actionable and tailored information, and transform security and risk management from a tactical pursuit to a strategic initiative driving bottom-line business value.
For help with your own Security Intelligence journey, be sure to check out this comprehensive Resource Center.