Anomaly Detection: The Power of Next-Generation SIEM

I pay too much for my cellphone service. My family burns through our data plan without realizing what’s going on as they browse the net, communicate with friends, stream videos and so on. What I really need is some sort of security information and event management (SIEM) for my cellular service that would alert me when anomalistic behaviors are occurring.

Right now, my carrier sends me a text when 75 percent, 90 percent and 100 percent of my data plan is consumed, which prompts me to review all the usage and find out who did what with 11 GB of data in as little as two weeks. The statistics typically reveal that it’s video streaming, but the connect times are short and occur during all hours of the day and night. It would’ve been great to get the alert that my son’s phone is processing video at 3 a.m. before all the data is used.

Behavioral Analytics Finds Abnormal Behavior

QRadar Security Intelligence performs this sort of anomaly detection — also known as behavioral analytics — in real time as it compares current activity to a moving average baseline used to define normal operations. This is calculated using the accumulated log source event and flow data for associated collections of IP addresses, usernames, workgroups, etc. so it can alert on a wide variety of conditions. Wouldn’t you sleep easier knowing that your IT security team will see the first occurrences of what may be a newly installed botnet agent calling home to a command-and-control (C&C) server? Or how about the first time an unauthorized user accesses a highly valued system?

Read the Ponemon Institute study on the economic benefits of QRadar

The concept of applying behavioral profiling to computer networks isn’t exactly new. It was originally proposed by Dorothy Denning back in her 1987 IEEE paper “An Intrusion-Detection Model,” but IBM Security’s QRadar implementation takes it a step further. Many vendors are only able to look at syslog events and NetFlow information, which only reveal part of the story — like seeing odd cellular data traffic at off hours. QRadar Security Intelligence incorporates Layer 7 or application insights that can quickly discover things like nonstandard protocols running through essentially reserved ports.

How QRadar Can Help

QRadar’s QFlow Collector processors employ deep packet inspection (DPI) to help uncover things like IRC traffic over Port 80, which is typically reserved for HTTP. It can also be used to identify potential data loss through file transfer protocol (FTP) servers transmitting prohibited content, such as audio or video recordings created by commercial studios. It’s like having the additional insight that the cell traffic occurring is video destined for YouTube.

This type of anomaly detection is the next best line of defense once a network’s perimeter has been breached. Today, just about the only thing attackers can’t know about our networks is what’s normal, making their movements more easily discovered when activity deviates. It’s one area you can have an advantage, and anomalies can be defined in several ways.

In addition to the behavioral profiling previously discussed, QRadar can generate alerts and offenses based on all the following: when new hosts and services appear on the network; when existing services stop or crash; when a highly valued server starts using new applications or suddenly starts communicating with assets outside your network; and when the amount of data transferred to an external source exceeds a defined threshold.

QRadar SIEM’s advanced search capabilities can also help security professionals discover low-and-slow attacks occurring over longer time periods than would surface using 30-day exponential smoothing algorithms. QRadar event and flow processor appliances often retain more than 180 days of security data, and their retention periods can easily be doubled or tripled with the addition of QRadar Data Node appliances.

Using SIEM to Improve Overall Security Posture

One of the challenges associated with SIEMs using anomaly detection technology is to know when not to apply this analysis or how to adjust any time intervals to accommodate infrequent and random acts of humans. Anomaly detection also doesn’t help the IT security professional understand the type of attack or define any remediation activities. This is why QRadar Security Intelligence includes both SIEM investigation capabilities for inspecting all the underlying events and flows and QRadar Incident Forensics technology for retrieving and analyzing all associated network packet transfers.

Read the Ponemon Institute’s IBM QRadar Security Intelligence Perception Capture Study

After the second month of paying overage charges on my data plan, my son downloaded the account app and began looking at his data usage. He’s a budding YouTube channel publisher, and there was some background service running that never seemed to quit. Once properly identified, he simply deactivated the app whenever he wasn’t editing or uploading. Immediate value was realized from insights into user and data activity, just as next generation SIEMs are able to deliver.

Share this Article:
Jay Bretzmann

WW Market Segment Manager, IBM Security

Jay Bretzmann currently directs product marketing activities for IBM QRadar Security Intelligence Platform offerings developing product messaging, marketing collaterals, website contents and conducting new product launch efforts. His earlier Software Group experience involved Business Partner marketing activities for Tivoli automation and asset management solutions and the WebSphere portfolio of service-oriented middleware products, specializing in the connectivity offerings. Prior to joining IBM’s Software Group, Jay managed IBM’s modular line of industry standard servers including all rack and tower, Intel- and AMD-based offerings.