Over the course of the last several years, IBM has refocused its security efforts around the idea of data and in particular the power of the QRadar SIEM (Security Information and Event Management) platform.
The idea behind QRadar is that by collecting data from the enterprise, information can be correlated to provide better security. IBM is expanding that idea with the use of unstructured Big Data. The IBM InfoSphere BigInsights solution, which is IBM's optimized version of Hadoop, is being paired with QRadar to form the IBM Security Intelligence with Big Data solution.
Kevin Skapinetz, program director of Product Strategy at IBM Security Systems, explained to eSecurity Planet that the combined solution is all about looking for patterns that are hidden in large volumes of data.
"We're combining the best of real time analytics with an exploratory approach so you can literally squeeze every last drip of information about attacks from your data," Skapinetz said.https://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=i
QRadar on its own was able to obtain, process and correlate large volumes of data. Skapinetz said the addition of InfoSphere BigInsights goes a step further to analyze unstructured data. One example he cited is DNS (domain name system) data analysis that traditionally is not ingested by SIEM due to its high volume.
"With this solution you could store all that DNS data and interrogate it," Skapinetz said.
That data interrogation could potentially lead to attack discovery information. Additionally text analytics can be used with BigInsights to review multiple years' worth of data to find patterns. With BigInsights, different types of machine learning algorithms can be written to spot very customized types of attacks and malicious outliers, Skapinetz said.
Constructing Big Data queries isn't always an easy task, which is another challenge that IBM is tackling. Skapinetz explained that BigInsights employs a user-friendly user interface that provides a spreadsheet-like approach for building analytical queries.
IBM is addressing the issue of query speed as well. Running Hadoop MapReduce jobs traditionally involves scheduling long-running batch processes. The BigInsights tool uses a capability called Adaptive MapReduce that reduces processing time.
Though IBM is marketing the technology as the IBM Security Intelligence with Big Data solution, it is being sold as two separate products without an integrated dashboard. However, Skapinetz noted that data can be passed back and forth from QRadar to BigInsights.
The addition of Big Data is enabling IBM to emphasize a more proactive security approach, Skapinetz said.
"Traditional defensive tools are not enough," he said. "We're now seeing people hunt for attackers, instead of thinking like defenders and just building bigger walls."