August 31, 2015 By Jay Bretzmann 3 min read

I pay too much for my cellphone service. My family burns through our data plan without realizing what’s going on as they browse the net, communicate with friends, stream videos and so on. What I really need is some sort of security information and event management (SIEM) for my cellular service that would alert me when anomalistic behaviors are occurring.

Right now, my carrier sends me a text when 75 percent, 90 percent and 100 percent of my data plan is consumed, which prompts me to review all the usage and find out who did what with 11 GB of data in as little as two weeks. The statistics typically reveal that it’s video streaming, but the connect times are short and occur during all hours of the day and night. It would’ve been great to get the alert that my son’s phone is processing video at 3 a.m. before all the data is used.

Behavioral Analytics Finds Abnormal Behavior

QRadar Security Intelligence performs this sort of anomaly detection — also known as behavioral analytics — in real time as it compares current activity to a moving average baseline used to define normal operations. This is calculated using the accumulated log source event and flow data for associated collections of IP addresses, usernames, workgroups, etc. so it can alert on a wide variety of conditions. Wouldn’t you sleep easier knowing that your IT security team will see the first occurrences of what may be a newly installed botnet agent calling home to a command-and-control (C&C) server? Or how about the first time an unauthorized user accesses a highly valued system?

Read the Ponemon Institute study on the economic benefits of QRadar

The concept of applying behavioral profiling to computer networks isn’t exactly new. It was originally proposed by Dorothy Denning back in her 1987 IEEE paper “An Intrusion-Detection Model,” but IBM Security’s QRadar implementation takes it a step further. Many vendors are only able to look at syslog events and NetFlow information, which only reveal part of the story — like seeing odd cellular data traffic at off hours. QRadar Security Intelligence incorporates Layer 7 or application insights that can quickly discover things like nonstandard protocols running through essentially reserved ports.

How QRadar Can Help

QRadar’s QFlow Collector processors employ deep packet inspection (DPI) to help uncover things like IRC traffic over Port 80, which is typically reserved for HTTP. It can also be used to identify potential data loss through file transfer protocol (FTP) servers transmitting prohibited content, such as audio or video recordings created by commercial studios. It’s like having the additional insight that the cell traffic occurring is video destined for YouTube.

This type of anomaly detection is the next best line of defense once a network’s perimeter has been breached. Today, just about the only thing attackers can’t know about our networks is what’s normal, making their movements more easily discovered when activity deviates. It’s one area you can have an advantage, and anomalies can be defined in several ways.

In addition to the behavioral profiling previously discussed, QRadar can generate alerts and offenses based on all the following: when new hosts and services appear on the network; when existing services stop or crash; when a highly valued server starts using new applications or suddenly starts communicating with assets outside your network; and when the amount of data transferred to an external source exceeds a defined threshold.

QRadar SIEM’s advanced search capabilities can also help security professionals discover low-and-slow attacks occurring over longer time periods than would surface using 30-day exponential smoothing algorithms. QRadar event and flow processor appliances often retain more than 180 days of security data, and their retention periods can easily be doubled or tripled with the addition of QRadar Data Node appliances.

Using SIEM to Improve Overall Security Posture

One of the challenges associated with SIEMs using anomaly detection technology is to know when not to apply this analysis or how to adjust any time intervals to accommodate infrequent and random acts of humans. Anomaly detection also doesn’t help the IT security professional understand the type of attack or define any remediation activities. This is why QRadar Security Intelligence includes both SIEM investigation capabilities for inspecting all the underlying events and flows and QRadar Incident Forensics technology for retrieving and analyzing all associated network packet transfers.

Read the Ponemon Institute’s IBM QRadar Security Intelligence Perception Capture Study

After the second month of paying overage charges on my data plan, my son downloaded the account app and began looking at his data usage. He’s a budding YouTube channel publisher, and there was some background service running that never seemed to quit. Once properly identified, he simply deactivated the app whenever he wasn’t editing or uploading. Immediate value was realized from insights into user and data activity, just as next generation SIEMs are able to deliver.

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today