The QRadar Security Intelligence Platform, designed by Q1 Labs, and acquired by IBM late last year, is now being expanded and integrated into IBM’s security offering. The platform is now serving as the control centre that integrates real-time security threat intelligence data from more than 400 different sources, raising alerts and blocks according to user set parameters. This is allied to analytical tools such as the ability to query log and flow data simultaneously.
The intention is to help end user clients to better predict, prevent and detect security breaches across an organisation, with IBM tapping security analytics and threat intelligence from its own X-Force threat feed, which has 4000 clients across 130 countries, among many other sources.
IBM believes that combining analytic capabilities with real-time data feeds in the newly expanded QRadar platform will give organisations the ability to proactively protect themselves from the increasingly sophisticated and complex security threats and malware that are out there.
The expanded platform can quickly identify abnormal activity by combining the contextual awareness of the latest threats and methods being used by hackers with real-time analysis of the traffic on a corporation’s IT infrastructure. For example, integrating capabilities in this way can detect when multiple failed logins to a database server occur, and also if this is followed by a successful login and access to credit card tables, followed by an upload to a questionable site. All of this can be tracked, with appropriate alert and block parameters, under the new solution.
Major claimed breakthroughs in the expanded security platform include:
• Latest Thread Intelligence: The QRadar Security Intelligence Platform is now linked to a large repository of threat and vulnerability insights based around the real-time monitoring of 13 billion security events per day via the IBM X-Force threat feed. This insight can flag behaviour that may be associated with Advanced Persistent Threats, which may emanate from teams of attackers that may access networks through stealth means.
• Visibility into Enterprise Activity: The expanded platform now unites insights from products that span all four areas of organisational risk – infrastructure, identity management, applications and data. This provides breadth of coverage for both IBM and non-IBM solutions. New QRadar integration modules are also being released for Symantec Data Loss Prevention, Websense Triton, Stonesoft, Stonegate and other third party products, further increasing QRadar’s ecosystem and security coverage capabilities.
• Pinpoint Risk in an Age of Big Data: According to IBM, the platform can surface and correlate risk emanating from network access information at the periphery to database activity at the core of a business using ‘big data’ analytics.
According to IBM, companies are struggling to defend themselves against data breaches, such as the theft of customer and employee information, credit card data and corporate intellectual property precisely because security systems have not been sufficiently integrated and automated. This patchwork approach has created loopholes that hackers can exploit. “Trying to approach security with a piece-part approach simply doesn't work," said Brendan Hannigan, general manager of IBM Security Systems, when discussing the new launch. "By applying analytics and knowledge of the latest threats and helping integrate key security elements [from across our product set], IBM plans to deliver predictive insight and broader protection."
QRadar integration modules for IBM’s existing Guardium Database Security offering, as well as its ‘big data’ analytics and cloud enhancements, are already available. Integration modules for IBM’s X-Force threat intelligence feed, the IBM Security Identity Manager, IBM Security Access Manager, Security AppScan and Endpoint Manager will all be accessible on the expanded QRadar platform by the end of Q2 2012.
The QRadar Security Intelligence Platform can help end user clients more rapidly identify attacks by connecting possible security events from the following categories.
• People: Organisations should control employee access to information. An employee’s unauthorized access to key databases and client information can leave a firm vulnerable to security breaches. With security intelligence, security teams can quickly determine whether access patterns exhibited by a given user are consistent with the user’s role and permissions within the organization. IBM Security Identity Manager and IBM Security Access Manager will integrate with the QRadar platform, complementing QRadar’s support for enterprise directories such as Microsoft Active Directory.
• Data: Data is at the core of security; it is what’s behind every security measure in place, and is the primary target of cyber-criminals. With IBM Guardium Database Security integrated with the expanded security intelligence platform, users can better correlate unauthorised or suspicious activity at the database layer – such as a database administrator accessing credit card tables during off-hours – with anomalous activity detected at the network layer, such as credit card records being sent to unfamiliar servers on the public Internet.
• Applications: Applications are vital to day-to-day functions but can also introduce new and serious vulnerabilities into company networks. Applications, because of their sensitivity, should be updated frequently. Organisations however are often unable to patch immediately due to corporate testing requirements and change control cycles. With security intelligence, companies can now automatically alert security teams when unpatched web applications are being attacked using known application-layer vulnerabilities, which have previously been identified by IBM Security AppScan. This integration complements existing QRadar support for monitoring enterprise applications such as IBM WebSphere and SAP Enterprise Resource Planning.
• Infrastructure: Today, organisations struggle to secure thousands of physical devices, such as PCs and mobile phones, especially as the consumerisation of IT continues apace. For this reason, companies should take extra precautions to help employees to follow secure practices in using these devices. With integration with IBM Endpoint Manager, the expanded security platform can provide organisations with enhanced protection of physical and virtual endpoints — servers, desktops, roaming laptops, smartphones and tablets, plus specialised equipment such as point-of-sale devices, ATMs and self-service kiosks.
In addition to the product integrations described above, the ‘big data’ capabilities for storing and querying massive amounts of security information – whether on standard or virtualised servers – is built into the expanded platform by adding QRadar’s XX24 appliance series into the solution. With the QRadar 3124 SIEM appliances, QRadar 1624 Event Processor and QRadar 1724 Flow Processor – which all include 16TB of usable storage and 64GB of RAM – organisations can support more users, claims the manufacturer, achieving higher performance and data storage for increased interrogation of information flows.
Q1 Labs and its QRadar platform was acquired by IBM in October 2011. This latest integration proves the vendor intends to make it a cornerstone of its new Security Systems division.
By Neil Ainger