There are a lot of different assets in an enterprise network that can relay security event information. Collecting all that information and understanding what it means is what IBM's QRadar Security Intelligence Platform is all about.
IBM (NYSE: IBM) acquired Q1 Labs in October of 2011 and has since been forming its newly assembled IBM Security Systems division around the Q1 assets. QRadar is the flagship product from Q1 Labs.
"We've brought all of IBM's security products together into one division with a single CTO, sales force, and technical services support people," Phil Neray, VP of Security Intelligence Strategy at IBM Security Systems, told InternetNews.com.
The QRadar platform is what is known in the industry as SIEM (Security Information and Event Management) technology. It is able to take log and data inputs from multiple sources to help inform and alert enterprise IT managers about potential security issues and risks.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
As part of the new release, IBM is extending what Q1 Labs had before to deliver deeper integration with a number of IBM technologies and services. At the top of list is integrated threat intelligence from the IBM X-Force threat feed. The X-Force actively tracks security vulnerabilities and has been particularly strong on identifying issues that haven't been patched. For example, a 2011 report from the X-Force found that 44 percent of all security vulnerabilities did not have a vendor supplied patch by the end of 2010.
With the inclusion of the X-Force data feed, QRadar users will be able to create actionable rules for their network around the threat intelligence.
"We're taking information from one product and combining it using rules to give people better context into what is going on," Neray said.
In addition to the X-Force data, QRadar will be integrating Database security information from IBM's Guardium security solution. IBM acquired Guardium back in 2009 for $225 million. Guardium monitors database activity looking for unauthorized or suspicious activity at the database tier.
"So if IBM Guardium detected an administrator accessing credit card tables, which typically they wouldn't have reason to do from a business perspective, IBM Guardium would notice that activity and create an alert," Neray explained. "That alert can then be sent to QRadar, that would combine the information with other information it has, including the X-Force information."
Additionally, IBM is integrating QRadar with its identity and access management solutions. As such, user activity can be correlated with their role within the enteprise. Unauthorized access events can also be monitored by way of QRadar and correlated with other threat information to help assess risk and generate alerts.
Going even deeper into application code, IBM is providing QRadar integration with its Appscan portfolio for application analysis. Neray noted that Appscan is often able to identify vulnerabilities that an enterprise is unable to patch immediately. In the meantime, those same enterprises want to know if anyone is trying to exploit those known, but unpatched, vulnerabilities in their applications. Neray explained that with the QRadar integration a rule can be setup indentifying if those vulnerabilities are being attacked.
The final piece of the QRadar IBM integration is with the IBM Endpoint Manager technology. The Endpoint Manager came from IBM's acquisition of security vendor BigFix in 2010. The first IBM branded BigFix solution debuted as the Tivoli Endpoint Manager in early 2011.
The Endpoint Manager keeps track of endpoints to make sure they're up-to-date with the latest patches. With the QRadar intergration, if for example a Windows PC was missing a patch and QRadar detected that someone was trying to exploit a vulnerability that is related to the missing patch, it could correlate that information and provide an alert.
"Essentially what we've done is taken all these different data sources and integrated them into QRadar in a way that gives organizations a more comprehensive view into their security posture," Neray said. "It also lets them detect targeted attacks much faster."
QRadar is now available for both hardware-based and virtual appliances. For hardware appliances, IBM is using Linux as the bare metal operating system on which QRadar runs.
IBM isn't the only big vendor that is aiming to consolidate SIEM into its larger security efforts. HP has made moves in the area as well with its acquisition of SIEM vendor Arcsight in 2010 for $1.5 billion.